xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_fsops.c (revision 0245b61fd282e95735b173b8d95be0d6688163b4)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
24  */
25 
26 #include <sys/sid.h>
27 #include <sys/nbmlock.h>
28 #include <smbsrv/smb_fsops.h>
29 #include <smbsrv/smb_kproto.h>
30 #include <acl/acl_common.h>
31 #include <sys/fcntl.h>
32 #include <sys/filio.h>
33 #include <sys/flock.h>
34 #include <fs/fs_subr.h>
35 
36 extern caller_context_t smb_ct;
37 
38 static int smb_fsop_create_file_with_stream(smb_request_t *, cred_t *,
39     smb_node_t *, char *, char *, int, smb_attr_t *, smb_node_t **);
40 
41 static int smb_fsop_create_file(smb_request_t *, cred_t *, smb_node_t *,
42     char *, int, smb_attr_t *, smb_node_t **);
43 
44 #ifdef	_KERNEL
45 static int smb_fsop_create_with_sd(smb_request_t *, cred_t *, smb_node_t *,
46     char *, smb_attr_t *, smb_node_t **, smb_fssd_t *);
47 static int smb_fsop_sdinherit(smb_request_t *, smb_node_t *, smb_fssd_t *);
48 #endif	/* _KERNEL */
49 
50 /*
51  * The smb_fsop_* functions have knowledge of CIFS semantics.
52  *
53  * The smb_vop_* functions have minimal knowledge of CIFS semantics and
54  * serve as an interface to the VFS layer.
55  *
56  * Hence, smb_request_t and smb_node_t structures should not be passed
57  * from the smb_fsop_* layer to the smb_vop_* layer.
58  *
59  * In general, CIFS service code should only ever call smb_fsop_*
60  * functions directly, and never smb_vop_* functions directly.
61  *
62  * smb_fsop_* functions should call smb_vop_* functions where possible, instead
63  * of their smb_fsop_* counterparts.  However, there are times when
64  * this cannot be avoided.
65  */
66 
67 /*
68  * Note: Stream names cannot be mangled.
69  */
70 
71 /*
72  * smb_fsop_amask_to_omode
73  *
74  * Convert the access mask to the open mode (for use
75  * with the VOP_OPEN call).
76  *
77  * Note that opening a file for attribute only access
78  * will also translate into an FREAD or FWRITE open mode
79  * (i.e., it's not just for data).
80  *
81  * This is needed so that opens are tracked appropriately
82  * for oplock processing.
83  */
84 
85 int
86 smb_fsop_amask_to_omode(uint32_t access)
87 {
88 	int mode = 0;
89 
90 	if (access & (FILE_READ_DATA | FILE_EXECUTE |
91 	    FILE_READ_ATTRIBUTES | FILE_READ_EA))
92 		mode |= FREAD;
93 
94 	if (access & (FILE_WRITE_DATA | FILE_APPEND_DATA |
95 	    FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA))
96 		mode |= FWRITE;
97 
98 	if (access & FILE_APPEND_DATA)
99 		mode |= FAPPEND;
100 
101 	return (mode);
102 }
103 
104 int
105 smb_fsop_open(smb_node_t *node, int mode, cred_t *cred)
106 {
107 	/*
108 	 * Assuming that the same vnode is returned as we had before.
109 	 * (I.e., with certain types of files or file systems, a
110 	 * different vnode might be returned by VOP_OPEN)
111 	 */
112 	return (smb_vop_open(&node->vp, mode, cred));
113 }
114 
115 void
116 smb_fsop_close(smb_node_t *node, int mode, cred_t *cred)
117 {
118 	smb_vop_close(node->vp, mode, cred);
119 }
120 
121 #ifdef	_KERNEL
122 static int
123 smb_fsop_create_with_sd(smb_request_t *sr, cred_t *cr,
124     smb_node_t *dnode, char *name,
125     smb_attr_t *attr, smb_node_t **ret_snode, smb_fssd_t *fs_sd)
126 {
127 	vsecattr_t *vsap;
128 	vsecattr_t vsecattr;
129 	smb_attr_t set_attr;
130 	acl_t *acl, *dacl, *sacl;
131 	vnode_t *vp;
132 	cred_t *kcr = zone_kcred();
133 	int aclbsize = 0;	/* size of acl list in bytes */
134 	int flags = 0;
135 	int rc;
136 	boolean_t is_dir;
137 
138 	ASSERT(fs_sd);
139 	ASSERT(ret_snode != NULL);
140 
141 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
142 		flags = SMB_IGNORE_CASE;
143 	if (SMB_TREE_SUPPORTS_CATIA(sr))
144 		flags |= SMB_CATIA;
145 
146 	ASSERT(cr);
147 
148 	is_dir = ((fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR) != 0);
149 
150 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACLONCREATE)) {
151 		dacl = fs_sd->sd_zdacl;
152 		sacl = fs_sd->sd_zsacl;
153 		if (dacl != NULL || sacl != NULL) {
154 			if (dacl && sacl) {
155 				acl = smb_fsacl_merge(dacl, sacl);
156 			} else if (dacl) {
157 				acl = dacl;
158 			} else {
159 				acl = sacl;
160 			}
161 
162 			rc = smb_fsacl_to_vsa(acl, &vsecattr, &aclbsize);
163 
164 			if (dacl && sacl)
165 				acl_free(acl);
166 
167 			if (rc != 0)
168 				return (rc);
169 
170 			vsap = &vsecattr;
171 		} else {
172 			vsap = NULL;
173 		}
174 
175 		/* The tree ACEs may prevent a create */
176 		rc = EACCES;
177 		if (is_dir) {
178 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_SUBDIRECTORY) != 0)
179 				rc = smb_vop_mkdir(dnode->vp, name, attr,
180 				    &vp, flags, cr, vsap);
181 		} else {
182 			if (SMB_TREE_HAS_ACCESS(sr, ACE_ADD_FILE) != 0)
183 				rc = smb_vop_create(dnode->vp, name, attr,
184 				    &vp, flags, cr, vsap);
185 		}
186 
187 		if (vsap != NULL)
188 			kmem_free(vsap->vsa_aclentp, aclbsize);
189 
190 		if (rc != 0)
191 			return (rc);
192 
193 		set_attr.sa_mask = 0;
194 
195 		/*
196 		 * Ideally we should be able to specify the owner and owning
197 		 * group at create time along with the ACL. Since we cannot
198 		 * do that right now, kcred is passed to smb_vop_setattr so it
199 		 * doesn't fail due to lack of permission.
200 		 */
201 		if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
202 			set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
203 			set_attr.sa_mask |= SMB_AT_UID;
204 		}
205 
206 		if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
207 			set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
208 			set_attr.sa_mask |= SMB_AT_GID;
209 		}
210 
211 		if (set_attr.sa_mask)
212 			rc = smb_vop_setattr(vp, NULL, &set_attr, 0, kcr);
213 
214 		if (rc == 0) {
215 			*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
216 			    name, dnode, NULL);
217 
218 			if (*ret_snode == NULL)
219 				rc = ENOMEM;
220 
221 			VN_RELE(vp);
222 		}
223 	} else {
224 		/*
225 		 * For filesystems that don't support ACL-on-create, try
226 		 * to set the specified SD after create, which could actually
227 		 * fail because of conflicts between inherited security
228 		 * attributes upon creation and the specified SD.
229 		 *
230 		 * Passing kcred to smb_fsop_sdwrite() to overcome this issue.
231 		 */
232 
233 		if (is_dir) {
234 			rc = smb_vop_mkdir(dnode->vp, name, attr, &vp,
235 			    flags, cr, NULL);
236 		} else {
237 			rc = smb_vop_create(dnode->vp, name, attr, &vp,
238 			    flags, cr, NULL);
239 		}
240 
241 		if (rc != 0)
242 			return (rc);
243 
244 		*ret_snode = smb_node_lookup(sr, &sr->arg.open, cr, vp,
245 		    name, dnode, NULL);
246 
247 		if (*ret_snode != NULL) {
248 			if (!smb_tree_has_feature(sr->tid_tree,
249 			    SMB_TREE_NFS_MOUNTED))
250 				rc = smb_fsop_sdwrite(sr, kcr, *ret_snode,
251 				    fs_sd, 1);
252 		} else {
253 			rc = ENOMEM;
254 		}
255 
256 		VN_RELE(vp);
257 	}
258 
259 	if (rc != 0) {
260 		if (is_dir)
261 			(void) smb_vop_rmdir(dnode->vp, name, flags, cr);
262 		else
263 			(void) smb_vop_remove(dnode->vp, name, flags, cr);
264 	}
265 
266 	return (rc);
267 }
268 #endif	/* _KERNEL */
269 
270 /*
271  * smb_fsop_create
272  *
273  * All SMB functions should use this wrapper to ensure that
274  * all the smb_vop_creates are performed with the appropriate credentials.
275  * Please document any direct calls to explain the reason for avoiding
276  * this wrapper.
277  *
278  * *ret_snode is returned with a reference upon success.  No reference is
279  * taken if an error is returned.
280  */
281 int
282 smb_fsop_create(smb_request_t *sr, cred_t *cr, smb_node_t *dnode,
283     char *name, smb_attr_t *attr, smb_node_t **ret_snode)
284 {
285 	int	rc = 0;
286 	int	flags = 0;
287 	char	*fname, *sname;
288 	char	*longname = NULL;
289 
290 	ASSERT(cr);
291 	ASSERT(dnode);
292 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
293 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
294 
295 	ASSERT(ret_snode);
296 	*ret_snode = 0;
297 
298 	ASSERT(name);
299 	if (*name == 0)
300 		return (EINVAL);
301 
302 	ASSERT(sr);
303 	ASSERT(sr->tid_tree);
304 
305 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
306 		return (EACCES);
307 
308 	if (SMB_TREE_IS_READONLY(sr))
309 		return (EROFS);
310 
311 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
312 		flags = SMB_IGNORE_CASE;
313 	if (SMB_TREE_SUPPORTS_CATIA(sr))
314 		flags |= SMB_CATIA;
315 	if (SMB_TREE_SUPPORTS_ABE(sr))
316 		flags |= SMB_ABE;
317 
318 	if (smb_is_stream_name(name)) {
319 		fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
320 		sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
321 		smb_stream_parse_name(name, fname, sname);
322 
323 		rc = smb_fsop_create_file_with_stream(sr, cr, dnode,
324 		    fname, sname, flags, attr, ret_snode);
325 
326 		kmem_free(fname, MAXNAMELEN);
327 		kmem_free(sname, MAXNAMELEN);
328 		return (rc);
329 	}
330 
331 	/* Not a named stream */
332 
333 	if (SMB_TREE_SUPPORTS_SHORTNAMES(sr) && smb_maybe_mangled(name)) {
334 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
335 		rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags);
336 		kmem_free(longname, MAXNAMELEN);
337 
338 		if (rc == 0)
339 			rc = EEXIST;
340 		if (rc != ENOENT)
341 			return (rc);
342 	}
343 
344 	rc = smb_fsop_create_file(sr, cr, dnode, name, flags,
345 	    attr, ret_snode);
346 	return (rc);
347 
348 }
349 
350 
351 /*
352  * smb_fsop_create_file_with_stream
353  *
354  * Create named stream (sname) on file (fname), creating the file if it
355  * doesn't exist.
356  * If we created the file and then creation of the named stream fails,
357  * we delete the file.
358  * Since we use the real file name for the smb_vop_remove we
359  * clear the SMB_IGNORE_CASE flag to ensure a case sensitive
360  * match.
361  *
362  * Note that some stream "types" are "restricted" and only
363  * internal callers (cr == kcred) can create those.
364  */
365 static int
366 smb_fsop_create_file_with_stream(smb_request_t *sr, cred_t *cr,
367     smb_node_t *dnode, char *fname, char *sname, int flags,
368     smb_attr_t *attr, smb_node_t **ret_snode)
369 {
370 	smb_node_t	*fnode;
371 	cred_t		*kcr = zone_kcred();
372 	int		rc = 0;
373 	boolean_t	fcreate = B_FALSE;
374 
375 	ASSERT(ret_snode != NULL);
376 
377 	if (cr != kcr && smb_strname_restricted(sname))
378 		return (EACCES);
379 
380 	/* Look up / create the unnamed stream, fname */
381 	rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
382 	    sr->tid_tree->t_snode, dnode, fname, &fnode);
383 	if (rc == 0) {
384 		if (smb_fsop_access(sr, sr->user_cr, fnode,
385 		    sr->sr_open.desired_access) != 0) {
386 			smb_node_release(fnode);
387 			rc = EACCES;
388 		}
389 	} else if (rc == ENOENT) {
390 		fcreate = B_TRUE;
391 		rc = smb_fsop_create_file(sr, cr, dnode, fname, flags,
392 		    attr, &fnode);
393 	}
394 	if (rc != 0)
395 		return (rc);
396 
397 	rc = smb_fsop_create_stream(sr, cr, dnode, fnode, sname, flags, attr,
398 	    ret_snode);
399 
400 	if (rc != 0) {
401 		if (fcreate) {
402 			flags &= ~SMB_IGNORE_CASE;
403 			(void) smb_vop_remove(dnode->vp,
404 			    fnode->od_name, flags, cr);
405 		}
406 	}
407 
408 	smb_node_release(fnode);
409 	return (rc);
410 }
411 
412 /*
413  * smb_fsop_create_stream
414  *
415  * Create named stream (sname) on existing file (fnode).
416  *
417  * The second parameter of smb_vop_setattr() is set to
418  * NULL, even though an unnamed stream exists.  This is
419  * because we want to set the UID and GID on the named
420  * stream in this case for consistency with the (unnamed
421  * stream) file (see comments for smb_vop_setattr()).
422  *
423  * Note that some stream "types" are "restricted" and only
424  * internal callers (cr == kcred) can create those.
425  */
426 int
427 smb_fsop_create_stream(smb_request_t *sr, cred_t *cr,
428     smb_node_t *dnode, smb_node_t *fnode, char *sname, int flags,
429     smb_attr_t *attr, smb_node_t **ret_snode)
430 {
431 	smb_attr_t	fattr;
432 	vnode_t		*xattrdvp;
433 	vnode_t		*vp;
434 	cred_t		*kcr = zone_kcred();
435 	int		rc = 0;
436 
437 	ASSERT(ret_snode != NULL);
438 
439 	if (cr != kcr && smb_strname_restricted(sname))
440 		return (EACCES);
441 
442 	bzero(&fattr, sizeof (fattr));
443 	fattr.sa_mask = SMB_AT_UID | SMB_AT_GID;
444 	rc = smb_vop_getattr(fnode->vp, NULL, &fattr, 0, kcr);
445 
446 	if (rc == 0) {
447 		/* create the named stream, sname */
448 		rc = smb_vop_stream_create(fnode->vp, sname,
449 		    attr, &vp, &xattrdvp, flags, cr);
450 	}
451 	if (rc != 0)
452 		return (rc);
453 
454 	attr->sa_vattr.va_uid = fattr.sa_vattr.va_uid;
455 	attr->sa_vattr.va_gid = fattr.sa_vattr.va_gid;
456 	attr->sa_mask = SMB_AT_UID | SMB_AT_GID;
457 
458 	rc = smb_vop_setattr(vp, NULL, attr, 0, kcr);
459 	if (rc != 0) {
460 		VN_RELE(xattrdvp);
461 		VN_RELE(vp);
462 		return (rc);
463 	}
464 
465 	*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdvp,
466 	    vp, sname);
467 
468 	VN_RELE(xattrdvp);
469 	VN_RELE(vp);
470 
471 	if (*ret_snode == NULL)
472 		rc = ENOMEM;
473 
474 	/* notify change to the unnamed stream */
475 	if (rc == 0)
476 		smb_node_notify_change(dnode,
477 		    FILE_ACTION_ADDED_STREAM, fnode->od_name);
478 
479 	return (rc);
480 }
481 
482 /*
483  * smb_fsop_create_file
484  */
485 static int
486 smb_fsop_create_file(smb_request_t *sr, cred_t *cr,
487     smb_node_t *dnode, char *name, int flags,
488     smb_attr_t *attr, smb_node_t **ret_snode)
489 {
490 	smb_arg_open_t	*op = &sr->sr_open;
491 	vnode_t		*vp;
492 	int		rc;
493 
494 	ASSERT(ret_snode != NULL);
495 
496 #ifdef	_KERNEL
497 	smb_fssd_t	fs_sd;
498 	uint32_t	secinfo;
499 	uint32_t	status;
500 
501 	if (op->sd) {
502 		/*
503 		 * SD sent by client in Windows format. Needs to be
504 		 * converted to FS format. Inherit DACL/SACL if they're not
505 		 * specified.
506 		 */
507 		secinfo = smb_sd_get_secinfo(op->sd);
508 
509 		if ((secinfo & SMB_SACL_SECINFO) != 0 &&
510 		    !smb_user_has_security_priv(sr->uid_user, cr))
511 			return (EPERM);
512 
513 		smb_fssd_init(&fs_sd, secinfo, 0);
514 
515 		status = smb_sd_tofs(op->sd, &fs_sd);
516 		if (status == NT_STATUS_SUCCESS) {
517 			rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
518 			if (rc == 0)
519 				rc = smb_fsop_create_with_sd(sr, cr, dnode,
520 				    name, attr, ret_snode, &fs_sd);
521 
522 		} else {
523 			rc = EINVAL;
524 		}
525 		smb_fssd_term(&fs_sd);
526 	} else if (sr->tid_tree->t_acltype == ACE_T) {
527 		/*
528 		 * No incoming SD and filesystem is ZFS
529 		 * Server applies Windows inheritance rules,
530 		 * see smb_fsop_sdinherit() comments as to why.
531 		 */
532 		smb_fssd_init(&fs_sd, 0, 0);
533 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
534 		if (rc == 0) {
535 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
536 			    name, attr, ret_snode, &fs_sd);
537 		}
538 
539 		smb_fssd_term(&fs_sd);
540 	} else
541 #endif	/* _KERNEL */
542 	{
543 		/*
544 		 * No incoming SD and filesystem is not ZFS
545 		 * let the filesystem handles the inheritance.
546 		 */
547 		rc = smb_vop_create(dnode->vp, name, attr, &vp,
548 		    flags, cr, NULL);
549 
550 		if (rc == 0) {
551 			*ret_snode = smb_node_lookup(sr, op, cr, vp,
552 			    name, dnode, NULL);
553 
554 			if (*ret_snode == NULL)
555 				rc = ENOMEM;
556 
557 			VN_RELE(vp);
558 		}
559 
560 	}
561 
562 	if (rc == 0)
563 		smb_node_notify_change(dnode, FILE_ACTION_ADDED, name);
564 
565 	return (rc);
566 }
567 
568 /*
569  * smb_fsop_mkdir
570  *
571  * All SMB functions should use this wrapper to ensure that
572  * the the calls are performed with the appropriate credentials.
573  * Please document any direct call to explain the reason
574  * for avoiding this wrapper.
575  *
576  * It is assumed that a reference exists on snode coming into this routine.
577  *
578  * *ret_snode is returned with a reference upon success.  No reference is
579  * taken if an error is returned.
580  */
581 int
582 smb_fsop_mkdir(
583     smb_request_t *sr,
584     cred_t *cr,
585     smb_node_t *dnode,
586     char *name,
587     smb_attr_t *attr,
588     smb_node_t **ret_snode)
589 {
590 	struct open_param *op = &sr->arg.open;
591 	char *longname;
592 	vnode_t *vp;
593 	int flags = 0;
594 	int rc;
595 
596 #ifdef	_KERNEL
597 	smb_fssd_t fs_sd;
598 	uint32_t secinfo;
599 	uint32_t status;
600 #endif	/* _KERNEL */
601 
602 	ASSERT(cr);
603 	ASSERT(dnode);
604 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
605 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
606 
607 	ASSERT(ret_snode);
608 	*ret_snode = 0;
609 
610 	ASSERT(name);
611 	if (*name == 0)
612 		return (EINVAL);
613 
614 	ASSERT(sr);
615 	ASSERT(sr->tid_tree);
616 
617 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
618 		return (EACCES);
619 
620 	if (SMB_TREE_IS_READONLY(sr))
621 		return (EROFS);
622 	if (SMB_TREE_SUPPORTS_CATIA(sr))
623 		flags |= SMB_CATIA;
624 	if (SMB_TREE_SUPPORTS_ABE(sr))
625 		flags |= SMB_ABE;
626 
627 	if (SMB_TREE_SUPPORTS_SHORTNAMES(sr) && smb_maybe_mangled(name)) {
628 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
629 		rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags);
630 		kmem_free(longname, MAXNAMELEN);
631 
632 		/*
633 		 * If the name passed in by the client has an unmangled
634 		 * equivalent that is found in the specified directory,
635 		 * then the mkdir cannot succeed.  Return EEXIST.
636 		 *
637 		 * Only if ENOENT is returned will a mkdir be attempted.
638 		 */
639 
640 		if (rc == 0)
641 			rc = EEXIST;
642 
643 		if (rc != ENOENT)
644 			return (rc);
645 	}
646 
647 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
648 		flags = SMB_IGNORE_CASE;
649 
650 #ifdef	_KERNEL
651 	if (op->sd) {
652 		/*
653 		 * SD sent by client in Windows format. Needs to be
654 		 * converted to FS format. Inherit DACL/SACL if they're not
655 		 * specified.
656 		 */
657 		secinfo = smb_sd_get_secinfo(op->sd);
658 
659 		if ((secinfo & SMB_SACL_SECINFO) != 0 &&
660 		    !smb_user_has_security_priv(sr->uid_user, cr))
661 			return (EPERM);
662 
663 		smb_fssd_init(&fs_sd, secinfo, SMB_FSSD_FLAGS_DIR);
664 
665 		status = smb_sd_tofs(op->sd, &fs_sd);
666 		if (status == NT_STATUS_SUCCESS) {
667 			rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
668 			if (rc == 0)
669 				rc = smb_fsop_create_with_sd(sr, cr, dnode,
670 				    name, attr, ret_snode, &fs_sd);
671 		}
672 		else
673 			rc = EINVAL;
674 		smb_fssd_term(&fs_sd);
675 	} else if (sr->tid_tree->t_acltype == ACE_T) {
676 		/*
677 		 * No incoming SD and filesystem is ZFS
678 		 * Server applies Windows inheritance rules,
679 		 * see smb_fsop_sdinherit() comments as to why.
680 		 */
681 		smb_fssd_init(&fs_sd, 0, SMB_FSSD_FLAGS_DIR);
682 		rc = smb_fsop_sdinherit(sr, dnode, &fs_sd);
683 		if (rc == 0) {
684 			rc = smb_fsop_create_with_sd(sr, cr, dnode,
685 			    name, attr, ret_snode, &fs_sd);
686 		}
687 
688 		smb_fssd_term(&fs_sd);
689 
690 	} else
691 #endif	/* _KERNEL */
692 	{
693 		rc = smb_vop_mkdir(dnode->vp, name, attr, &vp, flags, cr,
694 		    NULL);
695 
696 		if (rc == 0) {
697 			*ret_snode = smb_node_lookup(sr, op, cr, vp, name,
698 			    dnode, NULL);
699 
700 			if (*ret_snode == NULL)
701 				rc = ENOMEM;
702 
703 			VN_RELE(vp);
704 		}
705 	}
706 
707 	if (rc == 0)
708 		smb_node_notify_change(dnode, FILE_ACTION_ADDED, name);
709 
710 	return (rc);
711 }
712 
713 /*
714  * smb_fsop_remove
715  *
716  * All SMB functions should use this wrapper to ensure that
717  * the the calls are performed with the appropriate credentials.
718  * Please document any direct call to explain the reason
719  * for avoiding this wrapper.
720  *
721  * It is assumed that a reference exists on snode coming into this routine.
722  *
723  * A null smb_request might be passed to this function.
724  *
725  * Note that some stream "types" are "restricted" and only
726  * internal callers (cr == kcred) can remove those.
727  */
728 int
729 smb_fsop_remove(
730     smb_request_t	*sr,
731     cred_t		*cr,
732     smb_node_t		*dnode,
733     char		*name,
734     uint32_t		flags)
735 {
736 	smb_node_t	*fnode;
737 	char		*longname;
738 	char		*fname;
739 	char		*sname;
740 	int		rc;
741 
742 	ASSERT(cr);
743 	/*
744 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
745 	 * function is called during the deletion of the node (because of
746 	 * DELETE_ON_CLOSE).
747 	 */
748 	ASSERT(dnode);
749 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
750 
751 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
752 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE) == 0)
753 		return (EACCES);
754 
755 	if (SMB_TREE_IS_READONLY(sr))
756 		return (EROFS);
757 
758 	fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
759 	sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
760 
761 	if (dnode->flags & NODE_XATTR_DIR) {
762 		if (cr != zone_kcred() && smb_strname_restricted(name)) {
763 			rc = EACCES;
764 			goto out;
765 		}
766 
767 		fnode = dnode->n_dnode;
768 		rc = smb_vop_stream_remove(fnode->vp, name, flags, cr);
769 
770 		/* notify change to the unnamed stream */
771 		if ((rc == 0) && fnode->n_dnode) {
772 			smb_node_notify_change(fnode->n_dnode,
773 			    FILE_ACTION_REMOVED_STREAM, fnode->od_name);
774 		}
775 	} else if (smb_is_stream_name(name)) {
776 		smb_stream_parse_name(name, fname, sname);
777 
778 		if (cr != zone_kcred() && smb_strname_restricted(sname)) {
779 			rc = EACCES;
780 			goto out;
781 		}
782 
783 		/*
784 		 * Look up the unnamed stream (i.e. fname).
785 		 * Unmangle processing will be done on fname
786 		 * as well as any link target.
787 		 */
788 
789 		rc = smb_fsop_lookup(sr, cr, flags | SMB_FOLLOW_LINKS,
790 		    sr->tid_tree->t_snode, dnode, fname, &fnode);
791 
792 		if (rc != 0) {
793 			goto out;
794 		}
795 
796 		/*
797 		 * XXX
798 		 * Need to find out what permission is required by NTFS
799 		 * to remove a stream.
800 		 */
801 		rc = smb_vop_stream_remove(fnode->vp, sname, flags, cr);
802 
803 		smb_node_release(fnode);
804 
805 		/* notify change to the unnamed stream */
806 		if (rc == 0) {
807 			smb_node_notify_change(dnode,
808 			    FILE_ACTION_REMOVED_STREAM, fname);
809 		}
810 	} else {
811 		rc = smb_vop_remove(dnode->vp, name, flags, cr);
812 
813 		if (rc == ENOENT) {
814 			if (!SMB_TREE_SUPPORTS_SHORTNAMES(sr) ||
815 			    !smb_maybe_mangled(name)) {
816 				goto out;
817 			}
818 			longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
819 
820 			if (SMB_TREE_SUPPORTS_ABE(sr))
821 				flags |= SMB_ABE;
822 
823 			rc = smb_unmangle(dnode, name, longname, MAXNAMELEN,
824 			    flags);
825 
826 			if (rc == 0) {
827 				/*
828 				 * longname is the real (case-sensitive)
829 				 * on-disk name.
830 				 * We make sure we do a remove on this exact
831 				 * name, as the name was mangled and denotes
832 				 * a unique file.
833 				 */
834 				flags &= ~SMB_IGNORE_CASE;
835 				rc = smb_vop_remove(dnode->vp, longname,
836 				    flags, cr);
837 			}
838 			kmem_free(longname, MAXNAMELEN);
839 		}
840 		if (rc == 0) {
841 			smb_node_notify_change(dnode,
842 			    FILE_ACTION_REMOVED, name);
843 		}
844 	}
845 
846 out:
847 	kmem_free(fname, MAXNAMELEN);
848 	kmem_free(sname, MAXNAMELEN);
849 
850 	return (rc);
851 }
852 
853 /*
854  * smb_fsop_remove_streams
855  *
856  * This function removes a file's streams without removing the
857  * file itself.
858  *
859  * It is assumed that fnode is not a link.
860  */
861 uint32_t
862 smb_fsop_remove_streams(smb_request_t *sr, cred_t *cr, smb_node_t *fnode)
863 {
864 	int rc, flags = 0;
865 	smb_odir_t *od;
866 	smb_odirent_t *odirent;
867 	uint32_t status;
868 	boolean_t eos;
869 
870 	ASSERT(sr);
871 	ASSERT(cr);
872 	ASSERT(fnode);
873 	ASSERT(fnode->n_magic == SMB_NODE_MAGIC);
874 	ASSERT(fnode->n_state != SMB_NODE_STATE_DESTROYING);
875 
876 	if (SMB_TREE_CONTAINS_NODE(sr, fnode) == 0)
877 		return (NT_STATUS_ACCESS_DENIED);
878 
879 	if (SMB_TREE_IS_READONLY(sr))
880 		return (NT_STATUS_ACCESS_DENIED);
881 
882 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
883 		flags = SMB_IGNORE_CASE;
884 
885 	if (SMB_TREE_SUPPORTS_CATIA(sr))
886 		flags |= SMB_CATIA;
887 
888 	status = smb_odir_openat(sr, fnode, &od);
889 	switch (status) {
890 	case 0:
891 		break;
892 	case NT_STATUS_OBJECT_NAME_NOT_FOUND:
893 	case NT_STATUS_NO_SUCH_FILE:
894 	case NT_STATUS_NOT_SUPPORTED:
895 		/* No streams to remove. */
896 		return (0);
897 	default:
898 		return (status);
899 	}
900 
901 	odirent = kmem_alloc(sizeof (smb_odirent_t), KM_SLEEP);
902 	for (;;) {
903 		rc = smb_odir_read(sr, od, odirent, &eos);
904 		if ((rc != 0) || (eos))
905 			break;
906 		(void) smb_vop_remove(od->d_dnode->vp, odirent->od_name,
907 		    flags, cr);
908 	}
909 	kmem_free(odirent, sizeof (smb_odirent_t));
910 	if (eos && rc == ENOENT)
911 		rc = 0;
912 
913 	smb_odir_close(od);
914 	smb_odir_release(od);
915 	if (rc)
916 		status = smb_errno2status(rc);
917 	return (status);
918 }
919 
920 /*
921  * smb_fsop_rmdir
922  *
923  * All SMB functions should use this wrapper to ensure that
924  * the the calls are performed with the appropriate credentials.
925  * Please document any direct call to explain the reason
926  * for avoiding this wrapper.
927  *
928  * It is assumed that a reference exists on snode coming into this routine.
929  */
930 int
931 smb_fsop_rmdir(
932     smb_request_t	*sr,
933     cred_t		*cr,
934     smb_node_t		*dnode,
935     char		*name,
936     uint32_t		flags)
937 {
938 	int		rc;
939 	char		*longname;
940 
941 	ASSERT(cr);
942 	/*
943 	 * The state of the node could be SMB_NODE_STATE_DESTROYING if this
944 	 * function is called during the deletion of the node (because of
945 	 * DELETE_ON_CLOSE).
946 	 */
947 	ASSERT(dnode);
948 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
949 
950 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0 ||
951 	    SMB_TREE_HAS_ACCESS(sr, ACE_DELETE_CHILD) == 0)
952 		return (EACCES);
953 
954 	if (SMB_TREE_IS_READONLY(sr))
955 		return (EROFS);
956 
957 	rc = smb_vop_rmdir(dnode->vp, name, flags, cr);
958 
959 	if (rc == ENOENT) {
960 		if (!SMB_TREE_SUPPORTS_SHORTNAMES(sr) ||
961 		    !smb_maybe_mangled(name)) {
962 			return (rc);
963 		}
964 
965 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
966 
967 		if (SMB_TREE_SUPPORTS_ABE(sr))
968 			flags |= SMB_ABE;
969 		rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags);
970 
971 		if (rc == 0) {
972 			/*
973 			 * longname is the real (case-sensitive)
974 			 * on-disk name.
975 			 * We make sure we do a rmdir on this exact
976 			 * name, as the name was mangled and denotes
977 			 * a unique directory.
978 			 */
979 			flags &= ~SMB_IGNORE_CASE;
980 			rc = smb_vop_rmdir(dnode->vp, longname, flags, cr);
981 		}
982 
983 		kmem_free(longname, MAXNAMELEN);
984 	}
985 
986 	if (rc == 0)
987 		smb_node_notify_change(dnode, FILE_ACTION_REMOVED, name);
988 
989 	return (rc);
990 }
991 
992 /*
993  * smb_fsop_getattr
994  *
995  * All SMB functions should use this wrapper to ensure that
996  * the the calls are performed with the appropriate credentials.
997  * Please document any direct call to explain the reason
998  * for avoiding this wrapper.
999  *
1000  * It is assumed that a reference exists on snode coming into this routine.
1001  */
1002 int
1003 smb_fsop_getattr(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1004     smb_attr_t *attr)
1005 {
1006 	smb_node_t *unnamed_node;
1007 	vnode_t *unnamed_vp = NULL;
1008 	uint32_t status;
1009 	uint32_t access = 0;
1010 	int flags = 0;
1011 	int rc;
1012 
1013 	ASSERT(cr);
1014 	ASSERT(snode);
1015 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1016 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1017 
1018 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0 ||
1019 	    SMB_TREE_HAS_ACCESS(sr, ACE_READ_ATTRIBUTES) == 0)
1020 		return (EACCES);
1021 
1022 	/* sr could be NULL in some cases */
1023 	if (sr && sr->fid_ofile) {
1024 		/* if uid and/or gid is requested */
1025 		if (attr->sa_mask & (SMB_AT_UID|SMB_AT_GID))
1026 			access |= READ_CONTROL;
1027 
1028 		/* if anything else is also requested */
1029 		if (attr->sa_mask & ~(SMB_AT_UID|SMB_AT_GID))
1030 			access |= FILE_READ_ATTRIBUTES;
1031 
1032 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1033 		if (status != NT_STATUS_SUCCESS)
1034 			return (EACCES);
1035 
1036 		if (smb_tree_has_feature(sr->tid_tree,
1037 		    SMB_TREE_ACEMASKONACCESS))
1038 			flags = ATTR_NOACLCHECK;
1039 	}
1040 
1041 	unnamed_node = SMB_IS_STREAM(snode);
1042 
1043 	if (unnamed_node) {
1044 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1045 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1046 		unnamed_vp = unnamed_node->vp;
1047 	}
1048 
1049 	rc = smb_vop_getattr(snode->vp, unnamed_vp, attr, flags, cr);
1050 
1051 	if ((rc == 0) && smb_node_is_dfslink(snode)) {
1052 		/* a DFS link should be treated as a directory */
1053 		attr->sa_dosattr |= FILE_ATTRIBUTE_DIRECTORY;
1054 	}
1055 
1056 	return (rc);
1057 }
1058 
1059 /*
1060  * smb_fsop_link
1061  *
1062  * All SMB functions should use this smb_vop_link wrapper to ensure that
1063  * the smb_vop_link is performed with the appropriate credentials.
1064  * Please document any direct call to smb_vop_link to explain the reason
1065  * for avoiding this wrapper.
1066  *
1067  * It is assumed that references exist on from_dnode and to_dnode coming
1068  * into this routine.
1069  */
1070 int
1071 smb_fsop_link(smb_request_t *sr, cred_t *cr, smb_node_t *from_fnode,
1072     smb_node_t *to_dnode, char *to_name)
1073 {
1074 	char	*longname = NULL;
1075 	int	flags = 0;
1076 	int	rc;
1077 
1078 	ASSERT(sr);
1079 	ASSERT(sr->tid_tree);
1080 	ASSERT(cr);
1081 	ASSERT(to_dnode);
1082 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
1083 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1084 	ASSERT(from_fnode);
1085 	ASSERT(from_fnode->n_magic == SMB_NODE_MAGIC);
1086 	ASSERT(from_fnode->n_state != SMB_NODE_STATE_DESTROYING);
1087 
1088 	if (SMB_TREE_CONTAINS_NODE(sr, from_fnode) == 0)
1089 		return (EACCES);
1090 
1091 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
1092 		return (EACCES);
1093 
1094 	if (SMB_TREE_IS_READONLY(sr))
1095 		return (EROFS);
1096 
1097 	if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1098 		flags = SMB_IGNORE_CASE;
1099 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1100 		flags |= SMB_CATIA;
1101 	if (SMB_TREE_SUPPORTS_ABE(sr))
1102 		flags |= SMB_ABE;
1103 
1104 	if (SMB_TREE_SUPPORTS_SHORTNAMES(sr) && smb_maybe_mangled(to_name)) {
1105 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1106 		rc = smb_unmangle(to_dnode, to_name, longname,
1107 		    MAXNAMELEN, flags);
1108 		kmem_free(longname, MAXNAMELEN);
1109 
1110 		if (rc == 0)
1111 			rc = EEXIST;
1112 		if (rc != ENOENT)
1113 			return (rc);
1114 	}
1115 
1116 	rc = smb_vop_link(to_dnode->vp, from_fnode->vp, to_name, flags, cr);
1117 
1118 	if (rc == 0)
1119 		smb_node_notify_change(to_dnode, FILE_ACTION_ADDED, to_name);
1120 
1121 	return (rc);
1122 }
1123 
1124 /*
1125  * smb_fsop_rename
1126  *
1127  * All SMB functions should use this smb_vop_rename wrapper to ensure that
1128  * the smb_vop_rename is performed with the appropriate credentials.
1129  * Please document any direct call to smb_vop_rename to explain the reason
1130  * for avoiding this wrapper.
1131  *
1132  * It is assumed that references exist on from_dnode and to_dnode coming
1133  * into this routine.
1134  */
1135 int
1136 smb_fsop_rename(
1137     smb_request_t *sr,
1138     cred_t *cr,
1139     smb_node_t *from_dnode,
1140     char *from_name,
1141     smb_node_t *to_dnode,
1142     char *to_name)
1143 {
1144 	smb_node_t *from_snode;
1145 	smb_attr_t from_attr;
1146 	vnode_t *from_vp;
1147 	int flags = 0, ret_flags;
1148 	int rc;
1149 	boolean_t isdir;
1150 
1151 	ASSERT(cr);
1152 	ASSERT(from_dnode);
1153 	ASSERT(from_dnode->n_magic == SMB_NODE_MAGIC);
1154 	ASSERT(from_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1155 
1156 	ASSERT(to_dnode);
1157 	ASSERT(to_dnode->n_magic == SMB_NODE_MAGIC);
1158 	ASSERT(to_dnode->n_state != SMB_NODE_STATE_DESTROYING);
1159 
1160 	if (SMB_TREE_CONTAINS_NODE(sr, from_dnode) == 0)
1161 		return (EACCES);
1162 
1163 	if (SMB_TREE_CONTAINS_NODE(sr, to_dnode) == 0)
1164 		return (EACCES);
1165 
1166 	ASSERT(sr);
1167 	ASSERT(sr->tid_tree);
1168 	if (SMB_TREE_IS_READONLY(sr))
1169 		return (EROFS);
1170 
1171 	/*
1172 	 * Note: There is no need to check SMB_TREE_IS_CASEINSENSITIVE
1173 	 * here.
1174 	 *
1175 	 * A case-sensitive rename is always done in this routine
1176 	 * because we are using the on-disk name from an earlier lookup.
1177 	 * If a mangled name was passed in by the caller (denoting a
1178 	 * deterministic lookup), then the exact file must be renamed
1179 	 * (i.e. SMB_IGNORE_CASE must not be passed to VOP_RENAME, or
1180 	 * else the underlying file system might return a "first-match"
1181 	 * on this on-disk name, possibly resulting in the wrong file).
1182 	 */
1183 
1184 	if (SMB_TREE_SUPPORTS_CATIA(sr))
1185 		flags |= SMB_CATIA;
1186 
1187 	/*
1188 	 * XXX: Lock required through smb_node_release() below?
1189 	 */
1190 
1191 	rc = smb_vop_lookup(from_dnode->vp, from_name, &from_vp, NULL,
1192 	    flags, &ret_flags, NULL, &from_attr, cr);
1193 
1194 	if (rc != 0)
1195 		return (rc);
1196 
1197 	if (from_attr.sa_dosattr & FILE_ATTRIBUTE_REPARSE_POINT) {
1198 		VN_RELE(from_vp);
1199 		return (EACCES);
1200 	}
1201 
1202 	isdir = ((from_attr.sa_dosattr & FILE_ATTRIBUTE_DIRECTORY) != 0);
1203 
1204 	if ((isdir && SMB_TREE_HAS_ACCESS(sr,
1205 	    ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY) !=
1206 	    (ACE_DELETE_CHILD | ACE_ADD_SUBDIRECTORY)) ||
1207 	    (!isdir && SMB_TREE_HAS_ACCESS(sr, ACE_DELETE | ACE_ADD_FILE) !=
1208 	    (ACE_DELETE | ACE_ADD_FILE))) {
1209 		VN_RELE(from_vp);
1210 		return (EACCES);
1211 	}
1212 
1213 	/*
1214 	 * SMB checks access on open and retains an access granted
1215 	 * mask for use while the file is open.  ACL changes should
1216 	 * not affect access to an open file.
1217 	 *
1218 	 * If the rename is being performed on an ofile:
1219 	 * - Check the ofile's access granted mask to see if the
1220 	 *   rename is permitted - requires DELETE access.
1221 	 * - If the file system does access checking, set the
1222 	 *   ATTR_NOACLCHECK flag to ensure that the file system
1223 	 *   does not check permissions on subsequent calls.
1224 	 */
1225 	if (sr && sr->fid_ofile) {
1226 		rc = smb_ofile_access(sr->fid_ofile, cr, DELETE);
1227 		if (rc != NT_STATUS_SUCCESS) {
1228 			VN_RELE(from_vp);
1229 			return (EACCES);
1230 		}
1231 
1232 		if (smb_tree_has_feature(sr->tid_tree,
1233 		    SMB_TREE_ACEMASKONACCESS))
1234 			flags = ATTR_NOACLCHECK;
1235 	}
1236 
1237 	rc = smb_vop_rename(from_dnode->vp, from_name, to_dnode->vp,
1238 	    to_name, flags, cr);
1239 
1240 	if (rc == 0) {
1241 		from_snode = smb_node_lookup(sr, NULL, cr, from_vp, from_name,
1242 		    from_dnode, NULL);
1243 
1244 		if (from_snode == NULL) {
1245 			rc = ENOMEM;
1246 		} else {
1247 			smb_node_rename(from_dnode, from_snode,
1248 			    to_dnode, to_name);
1249 			smb_node_release(from_snode);
1250 		}
1251 	}
1252 	VN_RELE(from_vp);
1253 
1254 	if (rc == 0) {
1255 		if (from_dnode == to_dnode) {
1256 			smb_node_notify_change(from_dnode,
1257 			    FILE_ACTION_RENAMED_OLD_NAME, from_name);
1258 			smb_node_notify_change(to_dnode,
1259 			    FILE_ACTION_RENAMED_NEW_NAME, to_name);
1260 		} else {
1261 			smb_node_notify_change(from_dnode,
1262 			    FILE_ACTION_REMOVED, from_name);
1263 			smb_node_notify_change(to_dnode,
1264 			    FILE_ACTION_ADDED, to_name);
1265 		}
1266 	}
1267 
1268 	/* XXX: unlock */
1269 
1270 	return (rc);
1271 }
1272 
1273 /*
1274  * smb_fsop_setattr
1275  *
1276  * All SMB functions should use this wrapper to ensure that
1277  * the the calls are performed with the appropriate credentials.
1278  * Please document any direct call to explain the reason
1279  * for avoiding this wrapper.
1280  *
1281  * It is assumed that a reference exists on snode coming into
1282  * this function.
1283  * A null smb_request might be passed to this function.
1284  */
1285 int
1286 smb_fsop_setattr(
1287     smb_request_t	*sr,
1288     cred_t		*cr,
1289     smb_node_t		*snode,
1290     smb_attr_t		*set_attr)
1291 {
1292 	smb_node_t *unnamed_node;
1293 	vnode_t *unnamed_vp = NULL;
1294 	uint32_t status;
1295 	uint32_t access;
1296 	int rc = 0;
1297 	int flags = 0;
1298 	uint_t sa_mask;
1299 
1300 	ASSERT(cr);
1301 	ASSERT(snode);
1302 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1303 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1304 
1305 	if (SMB_TREE_CONTAINS_NODE(sr, snode) == 0)
1306 		return (EACCES);
1307 
1308 	if (SMB_TREE_IS_READONLY(sr))
1309 		return (EROFS);
1310 
1311 	if (SMB_TREE_HAS_ACCESS(sr,
1312 	    ACE_WRITE_ATTRIBUTES | ACE_WRITE_NAMED_ATTRS) == 0)
1313 		return (EACCES);
1314 
1315 	/*
1316 	 * SMB checks access on open and retains an access granted
1317 	 * mask for use while the file is open.  ACL changes should
1318 	 * not affect access to an open file.
1319 	 *
1320 	 * If the setattr is being performed on an ofile:
1321 	 * - Check the ofile's access granted mask to see if the
1322 	 *   setattr is permitted.
1323 	 *   UID, GID - require WRITE_OWNER
1324 	 *   SIZE, ALLOCSZ - require FILE_WRITE_DATA
1325 	 *   all other attributes require FILE_WRITE_ATTRIBUTES
1326 	 *
1327 	 * - If the file system does access checking, set the
1328 	 *   ATTR_NOACLCHECK flag to ensure that the file system
1329 	 *   does not check permissions on subsequent calls.
1330 	 */
1331 	if (sr && sr->fid_ofile) {
1332 		sa_mask = set_attr->sa_mask;
1333 		access = 0;
1334 
1335 		if (sa_mask & (SMB_AT_SIZE | SMB_AT_ALLOCSZ)) {
1336 			access |= FILE_WRITE_DATA;
1337 			sa_mask &= ~(SMB_AT_SIZE | SMB_AT_ALLOCSZ);
1338 		}
1339 
1340 		if (sa_mask & (SMB_AT_UID|SMB_AT_GID)) {
1341 			access |= WRITE_OWNER;
1342 			sa_mask &= ~(SMB_AT_UID|SMB_AT_GID);
1343 		}
1344 
1345 		if (sa_mask)
1346 			access |= FILE_WRITE_ATTRIBUTES;
1347 
1348 		status = smb_ofile_access(sr->fid_ofile, cr, access);
1349 		if (status != NT_STATUS_SUCCESS)
1350 			return (EACCES);
1351 
1352 		if (smb_tree_has_feature(sr->tid_tree,
1353 		    SMB_TREE_ACEMASKONACCESS))
1354 			flags = ATTR_NOACLCHECK;
1355 	}
1356 
1357 	unnamed_node = SMB_IS_STREAM(snode);
1358 
1359 	if (unnamed_node) {
1360 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1361 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1362 		unnamed_vp = unnamed_node->vp;
1363 	}
1364 
1365 	rc = smb_vop_setattr(snode->vp, unnamed_vp, set_attr, flags, cr);
1366 	return (rc);
1367 }
1368 
1369 /*
1370  * Support for SMB2 setinfo FileValidDataLengthInformation.
1371  * Free (zero out) data in the range off, off+len
1372  */
1373 int
1374 smb_fsop_freesp(
1375     smb_request_t	*sr,
1376     cred_t		*cr,
1377     smb_ofile_t		*ofile,
1378     off64_t		off,
1379     off64_t		len)
1380 {
1381 	flock64_t flk;
1382 	smb_node_t *node = ofile->f_node;
1383 	uint32_t status;
1384 	uint32_t access = FILE_WRITE_DATA;
1385 	int rc;
1386 
1387 	ASSERT(cr);
1388 	ASSERT(node);
1389 	ASSERT(node->n_magic == SMB_NODE_MAGIC);
1390 	ASSERT(node->n_state != SMB_NODE_STATE_DESTROYING);
1391 
1392 	if (SMB_TREE_CONTAINS_NODE(sr, node) == 0)
1393 		return (EACCES);
1394 
1395 	if (SMB_TREE_IS_READONLY(sr))
1396 		return (EROFS);
1397 
1398 	if (SMB_TREE_HAS_ACCESS(sr, access) == 0)
1399 		return (EACCES);
1400 
1401 	/*
1402 	 * SMB checks access on open and retains an access granted
1403 	 * mask for use while the file is open.  ACL changes should
1404 	 * not affect access to an open file.
1405 	 *
1406 	 * If the setattr is being performed on an ofile:
1407 	 * - Check the ofile's access granted mask to see if this
1408 	 *   modification should be permitted (FILE_WRITE_DATA)
1409 	 */
1410 	status = smb_ofile_access(sr->fid_ofile, cr, access);
1411 	if (status != NT_STATUS_SUCCESS)
1412 		return (EACCES);
1413 
1414 	bzero(&flk, sizeof (flk));
1415 	flk.l_start = off;
1416 	flk.l_len = len;
1417 
1418 	rc = smb_vop_space(node->vp, F_FREESP, &flk, FWRITE, 0LL, cr);
1419 	return (rc);
1420 }
1421 
1422 /*
1423  * smb_fsop_read
1424  *
1425  * All SMB functions should use this wrapper to ensure that
1426  * the the calls are performed with the appropriate credentials.
1427  * Please document any direct call to explain the reason
1428  * for avoiding this wrapper.
1429  *
1430  * It is assumed that a reference exists on snode coming into this routine.
1431  * Note that ofile may be different from sr->fid_ofile, or may be NULL.
1432  */
1433 int
1434 smb_fsop_read(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1435     smb_ofile_t *ofile, uio_t *uio, int ioflag)
1436 {
1437 	caller_context_t ct;
1438 	cred_t *kcr = zone_kcred();
1439 	uint32_t amask;
1440 	int svmand;
1441 	int rc;
1442 
1443 	ASSERT(cr);
1444 	ASSERT(snode);
1445 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1446 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1447 
1448 	ASSERT(sr);
1449 
1450 	if (ofile != NULL) {
1451 		/*
1452 		 * Check tree access.  Not SMB_TREE_HAS_ACCESS
1453 		 * because we need to use ofile->f_tree
1454 		 */
1455 		if ((ofile->f_tree->t_access & ACE_READ_DATA) == 0)
1456 			return (EACCES);
1457 
1458 		/*
1459 		 * Check ofile access.  Use in-line smb_ofile_access
1460 		 * so we can check both amask bits at the same time.
1461 		 * If any bit in amask is granted, allow this read.
1462 		 */
1463 		amask = FILE_READ_DATA;
1464 		if (sr->smb_flg2 & SMB_FLAGS2_READ_IF_EXECUTE)
1465 			amask |= FILE_EXECUTE;
1466 		if (cr != kcr && (ofile->f_granted_access & amask) == 0)
1467 			return (EACCES);
1468 	}
1469 
1470 	/*
1471 	 * Streams permission are checked against the unnamed stream,
1472 	 * but in FS level they have their own permissions. To avoid
1473 	 * rejection by FS due to lack of permission on the actual
1474 	 * extended attr kcred is passed for streams.
1475 	 */
1476 	if (SMB_IS_STREAM(snode))
1477 		cr = kcr;
1478 
1479 	smb_node_start_crit(snode, RW_READER);
1480 	rc = nbl_svmand(snode->vp, kcr, &svmand);
1481 	if (rc) {
1482 		smb_node_end_crit(snode);
1483 		return (rc);
1484 	}
1485 
1486 	/*
1487 	 * Note: SMB allows a zero-byte read, which should not
1488 	 * conflict with any locks.  However nbl_lock_conflict
1489 	 * takes a zero-byte length as lock to EOF, so we must
1490 	 * special case that here.
1491 	 */
1492 	if (uio->uio_resid > 0) {
1493 		ct = smb_ct;
1494 		if (ofile != NULL)
1495 			ct.cc_pid = ofile->f_uniqid;
1496 		rc = nbl_lock_conflict(snode->vp, NBL_READ, uio->uio_loffset,
1497 		    uio->uio_resid, svmand, &ct);
1498 		if (rc != 0) {
1499 			smb_node_end_crit(snode);
1500 			return (ERANGE);
1501 		}
1502 	}
1503 
1504 	rc = smb_vop_read(snode->vp, uio, ioflag, cr);
1505 	smb_node_end_crit(snode);
1506 
1507 	return (rc);
1508 }
1509 
1510 /*
1511  * smb_fsop_write
1512  *
1513  * It is assumed that a reference exists on snode coming into this routine.
1514  * Note that ofile may be different from sr->fid_ofile, or may be NULL.
1515  */
1516 int
1517 smb_fsop_write(
1518     smb_request_t *sr,
1519     cred_t *cr,
1520     smb_node_t *snode,
1521     smb_ofile_t *ofile,
1522     uio_t *uio,
1523     uint32_t *lcount,
1524     int ioflag)
1525 {
1526 	caller_context_t ct;
1527 	smb_attr_t attr;
1528 	cred_t *kcr = zone_kcred();
1529 	smb_node_t *u_node;
1530 	vnode_t *u_vp = NULL;
1531 	vnode_t *vp;
1532 	uint32_t amask;
1533 	int svmand;
1534 	int rc;
1535 
1536 	ASSERT(cr);
1537 	ASSERT(snode);
1538 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1539 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1540 
1541 	ASSERT(sr);
1542 	vp = snode->vp;
1543 
1544 	if (ofile != NULL) {
1545 		amask = FILE_WRITE_DATA | FILE_APPEND_DATA;
1546 
1547 		/* Check tree access. */
1548 		if ((ofile->f_tree->t_access & amask) == 0)
1549 			return (EROFS);
1550 
1551 		/*
1552 		 * Check ofile access.  Use in-line smb_ofile_access
1553 		 * so we can check both amask bits at the same time.
1554 		 * If any bit in amask is granted, allow this write.
1555 		 */
1556 		if (cr != kcr && (ofile->f_granted_access & amask) == 0)
1557 			return (EACCES);
1558 	}
1559 
1560 	/*
1561 	 * Streams permission are checked against the unnamed stream,
1562 	 * but in FS level they have their own permissions. To avoid
1563 	 * rejection by FS due to lack of permission on the actual
1564 	 * extended attr kcred is passed for streams.
1565 	 */
1566 	u_node = SMB_IS_STREAM(snode);
1567 	if (u_node != NULL) {
1568 		ASSERT(u_node->n_magic == SMB_NODE_MAGIC);
1569 		ASSERT(u_node->n_state != SMB_NODE_STATE_DESTROYING);
1570 		u_vp = u_node->vp;
1571 		cr = kcr;
1572 	}
1573 
1574 	smb_node_start_crit(snode, RW_READER);
1575 	rc = nbl_svmand(vp, kcr, &svmand);
1576 	if (rc) {
1577 		smb_node_end_crit(snode);
1578 		return (rc);
1579 	}
1580 
1581 	/*
1582 	 * Note: SMB allows a zero-byte write, which should not
1583 	 * conflict with any locks.  However nbl_lock_conflict
1584 	 * takes a zero-byte length as lock to EOF, so we must
1585 	 * special case that here.
1586 	 */
1587 	if (uio->uio_resid > 0) {
1588 		ct = smb_ct;
1589 		if (ofile != NULL)
1590 			ct.cc_pid = ofile->f_uniqid;
1591 		rc = nbl_lock_conflict(vp, NBL_WRITE, uio->uio_loffset,
1592 		    uio->uio_resid, svmand, &ct);
1593 		if (rc != 0) {
1594 			smb_node_end_crit(snode);
1595 			return (ERANGE);
1596 		}
1597 	}
1598 
1599 	rc = smb_vop_write(vp, uio, ioflag, lcount, cr);
1600 
1601 	/*
1602 	 * Once the mtime has been set via this ofile, the
1603 	 * automatic mtime changes from writes via this ofile
1604 	 * should cease, preserving the mtime that was set.
1605 	 * See: [MS-FSA] 2.1.5.14 and smb_node_setattr.
1606 	 *
1607 	 * The VFS interface does not offer a way to ask it to
1608 	 * skip the mtime updates, so we simulate the desired
1609 	 * behavior by re-setting the mtime after writes on a
1610 	 * handle where the mtime has been set.
1611 	 */
1612 	if (ofile != NULL &&
1613 	    (ofile->f_pending_attr.sa_mask & SMB_AT_MTIME) != 0) {
1614 		bcopy(&ofile->f_pending_attr, &attr, sizeof (attr));
1615 		attr.sa_mask = SMB_AT_MTIME;
1616 		(void) smb_vop_setattr(vp, u_vp, &attr, 0, kcr);
1617 	}
1618 
1619 	smb_node_end_crit(snode);
1620 
1621 	return (rc);
1622 }
1623 
1624 /*
1625  * Find the next allocated range starting at or after
1626  * the offset (*datap), returning the start/end of
1627  * that range in (*datap, *holep)
1628  */
1629 int
1630 smb_fsop_next_alloc_range(
1631     cred_t *cr,
1632     smb_node_t *node,
1633     off64_t *datap,
1634     off64_t *holep)
1635 {
1636 	int err;
1637 
1638 	err = smb_vop_ioctl(node->vp, _FIO_SEEK_DATA, datap, cr);
1639 	if (err != 0)
1640 		return (err);
1641 
1642 	*holep = *datap;
1643 	err = smb_vop_ioctl(node->vp, _FIO_SEEK_HOLE, holep, cr);
1644 
1645 	return (err);
1646 }
1647 
1648 /*
1649  * smb_fsop_statfs
1650  *
1651  * This is a wrapper function used for stat operations.
1652  */
1653 int
1654 smb_fsop_statfs(
1655     cred_t *cr,
1656     smb_node_t *snode,
1657     struct statvfs64 *statp)
1658 {
1659 	ASSERT(cr);
1660 	ASSERT(snode);
1661 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1662 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1663 
1664 	return (smb_vop_statfs(snode->vp, statp, cr));
1665 }
1666 
1667 /*
1668  * smb_fsop_access
1669  *
1670  * Named streams do not have separate permissions from the associated
1671  * unnamed stream.  Thus, if node is a named stream, the permissions
1672  * check will be performed on the associated unnamed stream.
1673  *
1674  * However, our named streams do have their own quarantine attribute,
1675  * separate from that on the unnamed stream. If READ or EXECUTE
1676  * access has been requested on a named stream, an additional access
1677  * check is performed on the named stream in case it has been
1678  * quarantined.  kcred is used to avoid issues with the permissions
1679  * set on the extended attribute file representing the named stream.
1680  *
1681  * Note that some stream "types" are "restricted" and only
1682  * internal callers (cr == kcred) can access those.
1683  */
1684 int
1685 smb_fsop_access(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
1686     uint32_t faccess)
1687 {
1688 	int access = 0;
1689 	int error;
1690 	vnode_t *dir_vp;
1691 	boolean_t acl_check = B_TRUE;
1692 	smb_node_t *unnamed_node;
1693 
1694 	ASSERT(sr);
1695 	ASSERT(cr);
1696 	ASSERT(snode);
1697 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
1698 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
1699 
1700 	if (SMB_TREE_IS_READONLY(sr)) {
1701 		if (faccess & (FILE_WRITE_DATA|FILE_APPEND_DATA|
1702 		    FILE_WRITE_EA|FILE_DELETE_CHILD|FILE_WRITE_ATTRIBUTES|
1703 		    DELETE|WRITE_DAC|WRITE_OWNER)) {
1704 			return (NT_STATUS_ACCESS_DENIED);
1705 		}
1706 	}
1707 
1708 	if (smb_node_is_reparse(snode) && (faccess & DELETE))
1709 		return (NT_STATUS_ACCESS_DENIED);
1710 
1711 	unnamed_node = SMB_IS_STREAM(snode);
1712 	if (unnamed_node) {
1713 		cred_t *kcr = zone_kcred();
1714 
1715 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
1716 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
1717 
1718 		if (cr != kcr && smb_strname_restricted(snode->od_name))
1719 			return (NT_STATUS_ACCESS_DENIED);
1720 
1721 		/*
1722 		 * Perform VREAD access check on the named stream in case it
1723 		 * is quarantined. kcred is passed to smb_vop_access so it
1724 		 * doesn't fail due to lack of permission.
1725 		 */
1726 		if (faccess & (FILE_READ_DATA | FILE_EXECUTE)) {
1727 			error = smb_vop_access(snode->vp, VREAD,
1728 			    0, NULL, kcr);
1729 			if (error)
1730 				return (NT_STATUS_ACCESS_DENIED);
1731 		}
1732 
1733 		/*
1734 		 * Streams authorization should be performed against the
1735 		 * unnamed stream.
1736 		 */
1737 		snode = unnamed_node;
1738 	}
1739 
1740 	if (faccess & ACCESS_SYSTEM_SECURITY) {
1741 		/*
1742 		 * This permission is required for reading/writing SACL and
1743 		 * it's not part of DACL. It's only granted via proper
1744 		 * privileges.
1745 		 */
1746 		if (!smb_user_has_security_priv(sr->uid_user, cr))
1747 			return (NT_STATUS_PRIVILEGE_NOT_HELD);
1748 
1749 		faccess &= ~ACCESS_SYSTEM_SECURITY;
1750 	}
1751 
1752 	/* Links don't have ACL */
1753 	if ((!smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) ||
1754 	    smb_node_is_symlink(snode))
1755 		acl_check = B_FALSE;
1756 
1757 	/* Deny access based on the share access mask */
1758 
1759 	if ((faccess & ~sr->tid_tree->t_access) != 0)
1760 		return (NT_STATUS_ACCESS_DENIED);
1761 
1762 	if (acl_check) {
1763 		dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL;
1764 		error = smb_vop_access(snode->vp, faccess, V_ACE_MASK, dir_vp,
1765 		    cr);
1766 	} else {
1767 		/*
1768 		 * FS doesn't understand 32-bit mask, need to map
1769 		 */
1770 		if (faccess & (FILE_WRITE_DATA | FILE_APPEND_DATA))
1771 			access |= VWRITE;
1772 
1773 		if (faccess & FILE_READ_DATA)
1774 			access |= VREAD;
1775 
1776 		if (faccess & FILE_EXECUTE)
1777 			access |= VEXEC;
1778 
1779 		error = smb_vop_access(snode->vp, access, 0, NULL, cr);
1780 	}
1781 
1782 	return ((error) ? NT_STATUS_ACCESS_DENIED : NT_STATUS_SUCCESS);
1783 }
1784 
1785 /*
1786  * smb_fsop_lookup_name()
1787  *
1788  * Lookup both the file and stream specified in 'name'.
1789  * If name indicates that the file is a stream file, perform
1790  * stream specific lookup, otherwise call smb_fsop_lookup.
1791  *
1792  * On success, returns the found node in *ret_snode. This will be either a named
1793  * or unnamed stream node, depending on the name specified.
1794  *
1795  * Return an error if the looked-up file is in outside the tree.
1796  * (Required when invoked from open path.)
1797  *
1798  * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE):
1799  * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set
1800  * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE
1801  * flag is set in the flags value passed as a parameter, a case insensitive
1802  * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set
1803  * or not).
1804  */
1805 
1806 int
1807 smb_fsop_lookup_name(
1808     smb_request_t *sr,
1809     cred_t	*cr,
1810     int		flags,
1811     smb_node_t	*root_node,
1812     smb_node_t	*dnode,
1813     char	*name,
1814     smb_node_t	**ret_snode)
1815 {
1816 	char *sname = NULL;
1817 	int rc;
1818 	smb_node_t *tmp_node;
1819 
1820 	ASSERT(ret_snode != NULL);
1821 
1822 	rc = smb_fsop_lookup_file(sr, cr, flags, root_node, dnode, name,
1823 	    &sname, ret_snode);
1824 
1825 	if (rc != 0 || sname == NULL)
1826 		return (rc);
1827 
1828 	tmp_node = *ret_snode;
1829 	rc = smb_fsop_lookup_stream(sr, cr, flags, root_node, tmp_node, sname,
1830 	    ret_snode);
1831 	kmem_free(sname, MAXNAMELEN);
1832 	smb_node_release(tmp_node);
1833 
1834 	return (rc);
1835 }
1836 
1837 /*
1838  * smb_fsop_lookup_file()
1839  *
1840  * Look up of the file portion of 'name'. If a Stream is specified,
1841  * return the stream name in 'sname', which this allocates.
1842  * The caller must free 'sname'.
1843  *
1844  * Return an error if the looked-up file is outside the tree.
1845  * (Required when invoked from open path.)
1846  *
1847  * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE):
1848  * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set
1849  * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE
1850  * flag is set in the flags value passed as a parameter, a case insensitive
1851  * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set
1852  * or not).
1853  */
1854 
1855 int
1856 smb_fsop_lookup_file(
1857     smb_request_t *sr,
1858     cred_t	*cr,
1859     int		flags,
1860     smb_node_t	*root_node,
1861     smb_node_t	*dnode,
1862     char	*name,
1863     char	**sname,
1864     smb_node_t	**ret_snode)
1865 {
1866 	char		*fname;
1867 	int		rc;
1868 
1869 	ASSERT(cr);
1870 	ASSERT(dnode);
1871 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
1872 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
1873 	ASSERT(ret_snode != NULL);
1874 
1875 	/*
1876 	 * The following check is required for streams processing, below
1877 	 */
1878 
1879 	if (!(flags & SMB_CASE_SENSITIVE)) {
1880 		if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1881 			flags |= SMB_IGNORE_CASE;
1882 	}
1883 
1884 	*sname = NULL;
1885 	if (smb_is_stream_name(name)) {
1886 		*sname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1887 		fname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1888 		smb_stream_parse_name(name, fname, *sname);
1889 
1890 		/*
1891 		 * Look up the unnamed stream (i.e. fname).
1892 		 * Unmangle processing will be done on fname
1893 		 * as well as any link target.
1894 		 */
1895 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode,
1896 		    fname, ret_snode);
1897 		kmem_free(fname, MAXNAMELEN);
1898 	} else {
1899 		rc = smb_fsop_lookup(sr, cr, flags, root_node, dnode, name,
1900 		    ret_snode);
1901 	}
1902 
1903 	if (rc == 0) {
1904 		ASSERT(ret_snode);
1905 		if (SMB_TREE_CONTAINS_NODE(sr, *ret_snode) == 0) {
1906 			smb_node_release(*ret_snode);
1907 			*ret_snode = NULL;
1908 			rc = EACCES;
1909 		}
1910 	}
1911 
1912 	if (rc != 0 && *sname != NULL) {
1913 		kmem_free(*sname, MAXNAMELEN);
1914 		*sname = NULL;
1915 	}
1916 	return (rc);
1917 }
1918 
1919 /*
1920  * smb_fsop_lookup_stream
1921  *
1922  * The file exists, see if the stream exists.
1923  */
1924 int
1925 smb_fsop_lookup_stream(
1926     smb_request_t *sr,
1927     cred_t *cr,
1928     int flags,
1929     smb_node_t *root_node,
1930     smb_node_t *fnode,
1931     char *sname,
1932     smb_node_t **ret_snode)
1933 {
1934 	char		*od_name;
1935 	vnode_t		*xattrdirvp;
1936 	vnode_t		*vp;
1937 	int rc;
1938 
1939 	/*
1940 	 * The following check is required for streams processing, below
1941 	 */
1942 
1943 	if (!(flags & SMB_CASE_SENSITIVE)) {
1944 		if (SMB_TREE_IS_CASEINSENSITIVE(sr))
1945 			flags |= SMB_IGNORE_CASE;
1946 	}
1947 
1948 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1949 
1950 	/*
1951 	 * od_name is the on-disk name of the stream, except
1952 	 * without the prepended stream prefix (SMB_STREAM_PREFIX)
1953 	 */
1954 
1955 	rc = smb_vop_stream_lookup(fnode->vp, sname, &vp, od_name,
1956 	    &xattrdirvp, flags, root_node->vp, cr);
1957 
1958 	if (rc != 0) {
1959 		kmem_free(od_name, MAXNAMELEN);
1960 		return (rc);
1961 	}
1962 
1963 	*ret_snode = smb_stream_node_lookup(sr, cr, fnode, xattrdirvp,
1964 	    vp, od_name);
1965 
1966 	kmem_free(od_name, MAXNAMELEN);
1967 	VN_RELE(xattrdirvp);
1968 	VN_RELE(vp);
1969 
1970 	if (*ret_snode == NULL)
1971 		return (ENOMEM);
1972 
1973 	return (rc);
1974 }
1975 
1976 /*
1977  * smb_fsop_lookup
1978  *
1979  * All SMB functions should use this smb_vop_lookup wrapper to ensure that
1980  * the smb_vop_lookup is performed with the appropriate credentials and using
1981  * case insensitive compares. Please document any direct call to smb_vop_lookup
1982  * to explain the reason for avoiding this wrapper.
1983  *
1984  * It is assumed that a reference exists on dnode coming into this routine
1985  * (and that it is safe from deallocation).
1986  *
1987  * Same with the root_node.
1988  *
1989  * *ret_snode is returned with a reference upon success.  No reference is
1990  * taken if an error is returned.
1991  *
1992  * Note: The returned ret_snode may be in a child mount.  This is ok for
1993  * readdir.
1994  *
1995  * Other smb_fsop_* routines will call SMB_TREE_CONTAINS_NODE() to prevent
1996  * operations on files not in the parent mount.
1997  *
1998  * Case sensitivity flags (SMB_IGNORE_CASE, SMB_CASE_SENSITIVE):
1999  * if SMB_CASE_SENSITIVE is set, the SMB_IGNORE_CASE flag will NOT be set
2000  * based on the tree's case sensitivity. However, if the SMB_IGNORE_CASE
2001  * flag is set in the flags value passed as a parameter, a case insensitive
2002  * lookup WILL be done (regardless of whether SMB_CASE_SENSITIVE is set
2003  * or not).
2004  */
2005 int
2006 smb_fsop_lookup(
2007     smb_request_t *sr,
2008     cred_t	*cr,
2009     int		flags,
2010     smb_node_t	*root_node,
2011     smb_node_t	*dnode,
2012     char	*name,
2013     smb_node_t	**ret_snode)
2014 {
2015 	smb_node_t *lnk_target_node;
2016 	smb_node_t *lnk_dnode;
2017 	char *longname;
2018 	char *od_name;
2019 	vnode_t *vp;
2020 	int rc;
2021 	int ret_flags;
2022 	smb_attr_t attr;
2023 
2024 	ASSERT(cr);
2025 	ASSERT(dnode);
2026 	ASSERT(dnode->n_magic == SMB_NODE_MAGIC);
2027 	ASSERT(dnode->n_state != SMB_NODE_STATE_DESTROYING);
2028 
2029 	if (name == NULL)
2030 		return (EINVAL);
2031 
2032 	if (SMB_TREE_CONTAINS_NODE(sr, dnode) == 0)
2033 		return (EACCES);
2034 
2035 	if (!(flags & SMB_CASE_SENSITIVE)) {
2036 		if (SMB_TREE_IS_CASEINSENSITIVE(sr))
2037 			flags |= SMB_IGNORE_CASE;
2038 	}
2039 	if (SMB_TREE_SUPPORTS_CATIA(sr))
2040 		flags |= SMB_CATIA;
2041 	if (SMB_TREE_SUPPORTS_ABE(sr))
2042 		flags |= SMB_ABE;
2043 
2044 	/*
2045 	 * Can have "" or "." when opening named streams on a directory.
2046 	 */
2047 	if (name[0] == '\0' || (name[0] == '.' && name[1] == '\0')) {
2048 		smb_node_ref(dnode);
2049 		*ret_snode = dnode;
2050 		return (0);
2051 	}
2052 
2053 	od_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
2054 
2055 	rc = smb_vop_lookup(dnode->vp, name, &vp, od_name, flags,
2056 	    &ret_flags, root_node ? root_node->vp : NULL, &attr, cr);
2057 
2058 	if (rc != 0) {
2059 		if (!SMB_TREE_SUPPORTS_SHORTNAMES(sr) ||
2060 		    !smb_maybe_mangled(name)) {
2061 			kmem_free(od_name, MAXNAMELEN);
2062 			return (rc);
2063 		}
2064 
2065 		longname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
2066 		rc = smb_unmangle(dnode, name, longname, MAXNAMELEN, flags);
2067 		if (rc != 0) {
2068 			kmem_free(od_name, MAXNAMELEN);
2069 			kmem_free(longname, MAXNAMELEN);
2070 			return (rc);
2071 		}
2072 
2073 		/*
2074 		 * longname is the real (case-sensitive)
2075 		 * on-disk name.
2076 		 * We make sure we do a lookup on this exact
2077 		 * name, as the name was mangled and denotes
2078 		 * a unique file.
2079 		 */
2080 
2081 		if (flags & SMB_IGNORE_CASE)
2082 			flags &= ~SMB_IGNORE_CASE;
2083 
2084 		rc = smb_vop_lookup(dnode->vp, longname, &vp, od_name,
2085 		    flags, &ret_flags, root_node ? root_node->vp : NULL, &attr,
2086 		    cr);
2087 
2088 		kmem_free(longname, MAXNAMELEN);
2089 
2090 		if (rc != 0) {
2091 			kmem_free(od_name, MAXNAMELEN);
2092 			return (rc);
2093 		}
2094 	}
2095 
2096 	if ((flags & SMB_FOLLOW_LINKS) && (vp->v_type == VLNK) &&
2097 	    ((attr.sa_dosattr & FILE_ATTRIBUTE_REPARSE_POINT) == 0)) {
2098 		rc = smb_pathname(sr, od_name, FOLLOW, root_node, dnode,
2099 		    &lnk_dnode, &lnk_target_node, cr, NULL);
2100 
2101 		if (rc != 0) {
2102 			/*
2103 			 * The link is assumed to be for the last component
2104 			 * of a path.  Hence any ENOTDIR error will be returned
2105 			 * as ENOENT.
2106 			 */
2107 			if (rc == ENOTDIR)
2108 				rc = ENOENT;
2109 
2110 			VN_RELE(vp);
2111 			kmem_free(od_name, MAXNAMELEN);
2112 			return (rc);
2113 		}
2114 
2115 		/*
2116 		 * Release the original VLNK vnode
2117 		 */
2118 
2119 		VN_RELE(vp);
2120 		vp = lnk_target_node->vp;
2121 
2122 		rc = smb_vop_traverse_check(&vp);
2123 
2124 		if (rc != 0) {
2125 			smb_node_release(lnk_dnode);
2126 			smb_node_release(lnk_target_node);
2127 			kmem_free(od_name, MAXNAMELEN);
2128 			return (rc);
2129 		}
2130 
2131 		/*
2132 		 * smb_vop_traverse_check() may have returned a different vnode
2133 		 */
2134 
2135 		if (lnk_target_node->vp == vp) {
2136 			*ret_snode = lnk_target_node;
2137 		} else {
2138 			*ret_snode = smb_node_lookup(sr, NULL, cr, vp,
2139 			    lnk_target_node->od_name, lnk_dnode, NULL);
2140 			VN_RELE(vp);
2141 
2142 			if (*ret_snode == NULL)
2143 				rc = ENOMEM;
2144 			smb_node_release(lnk_target_node);
2145 		}
2146 
2147 		smb_node_release(lnk_dnode);
2148 
2149 	} else {
2150 
2151 		rc = smb_vop_traverse_check(&vp);
2152 		if (rc) {
2153 			VN_RELE(vp);
2154 			kmem_free(od_name, MAXNAMELEN);
2155 			return (rc);
2156 		}
2157 
2158 		*ret_snode = smb_node_lookup(sr, NULL, cr, vp, od_name,
2159 		    dnode, NULL);
2160 		VN_RELE(vp);
2161 
2162 		if (*ret_snode == NULL)
2163 			rc = ENOMEM;
2164 	}
2165 
2166 	kmem_free(od_name, MAXNAMELEN);
2167 	return (rc);
2168 }
2169 
2170 int /*ARGSUSED*/
2171 smb_fsop_commit(smb_request_t *sr, cred_t *cr, smb_node_t *snode)
2172 {
2173 	ASSERT(cr);
2174 	ASSERT(snode);
2175 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2176 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2177 
2178 	ASSERT(sr);
2179 	ASSERT(sr->tid_tree);
2180 	if (SMB_TREE_IS_READONLY(sr))
2181 		return (EROFS);
2182 
2183 	return (smb_vop_commit(snode->vp, cr));
2184 }
2185 
2186 /*
2187  * smb_fsop_aclread
2188  *
2189  * Retrieve filesystem ACL. Depends on requested ACLs in
2190  * fs_sd->sd_secinfo, it'll set DACL and SACL pointers in
2191  * fs_sd. Note that requesting a DACL/SACL doesn't mean that
2192  * the corresponding field in fs_sd should be non-NULL upon
2193  * return, since the target ACL might not contain that type of
2194  * entries.
2195  *
2196  * Returned ACL is always in ACE_T (aka ZFS) format.
2197  * If successful the allocated memory for the ACL should be freed
2198  * using smb_fsacl_free() or smb_fssd_term()
2199  */
2200 int
2201 smb_fsop_aclread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2202     smb_fssd_t *fs_sd)
2203 {
2204 	int error = 0;
2205 	int flags = 0;
2206 	int access = 0;
2207 	acl_t *acl;
2208 
2209 	ASSERT(cr);
2210 
2211 	/* Can't query security on named streams */
2212 	if (SMB_IS_STREAM(snode) != NULL)
2213 		return (EINVAL);
2214 
2215 	if (SMB_TREE_HAS_ACCESS(sr, ACE_READ_ACL) == 0)
2216 		return (EACCES);
2217 
2218 	if (sr->fid_ofile) {
2219 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2220 			access = READ_CONTROL;
2221 
2222 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2223 			access |= ACCESS_SYSTEM_SECURITY;
2224 
2225 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2226 		if (error != NT_STATUS_SUCCESS) {
2227 			return (EACCES);
2228 		}
2229 	}
2230 
2231 
2232 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS))
2233 		flags = ATTR_NOACLCHECK;
2234 
2235 	error = smb_vop_acl_read(snode->vp, &acl, flags,
2236 	    sr->tid_tree->t_acltype, cr);
2237 	if (error != 0) {
2238 		return (error);
2239 	}
2240 
2241 	error = acl_translate(acl, _ACL_ACE_ENABLED,
2242 	    smb_node_is_dir(snode), fs_sd->sd_uid, fs_sd->sd_gid);
2243 
2244 	if (error == 0) {
2245 		smb_fsacl_split(acl, &fs_sd->sd_zdacl, &fs_sd->sd_zsacl,
2246 		    fs_sd->sd_secinfo);
2247 	}
2248 
2249 	acl_free(acl);
2250 	return (error);
2251 }
2252 
2253 /*
2254  * smb_fsop_aclwrite
2255  *
2256  * Stores the filesystem ACL provided in fs_sd->sd_acl.
2257  */
2258 int
2259 smb_fsop_aclwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2260     smb_fssd_t *fs_sd)
2261 {
2262 	int target_flavor;
2263 	int error = 0;
2264 	int flags = 0;
2265 	int access = 0;
2266 	acl_t *acl, *dacl, *sacl;
2267 
2268 	ASSERT(cr);
2269 
2270 	ASSERT(sr);
2271 	ASSERT(sr->tid_tree);
2272 	if (SMB_TREE_IS_READONLY(sr))
2273 		return (EROFS);
2274 
2275 	/* Can't set security on named streams */
2276 	if (SMB_IS_STREAM(snode) != NULL)
2277 		return (EINVAL);
2278 
2279 	if (SMB_TREE_HAS_ACCESS(sr, ACE_WRITE_ACL) == 0)
2280 		return (EACCES);
2281 
2282 	if (sr->fid_ofile) {
2283 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2284 			access = WRITE_DAC;
2285 
2286 		if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2287 			access |= ACCESS_SYSTEM_SECURITY;
2288 
2289 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2290 		if (error != NT_STATUS_SUCCESS)
2291 			return (EACCES);
2292 	}
2293 
2294 	switch (sr->tid_tree->t_acltype) {
2295 	case ACLENT_T:
2296 		target_flavor = _ACL_ACLENT_ENABLED;
2297 		break;
2298 
2299 	case ACE_T:
2300 		target_flavor = _ACL_ACE_ENABLED;
2301 		break;
2302 	default:
2303 		return (EINVAL);
2304 	}
2305 
2306 	dacl = fs_sd->sd_zdacl;
2307 	sacl = fs_sd->sd_zsacl;
2308 
2309 	ASSERT(dacl || sacl);
2310 	if ((dacl == NULL) && (sacl == NULL))
2311 		return (EINVAL);
2312 
2313 	if (dacl && sacl)
2314 		acl = smb_fsacl_merge(dacl, sacl);
2315 	else if (dacl)
2316 		acl = dacl;
2317 	else
2318 		acl = sacl;
2319 
2320 	error = acl_translate(acl, target_flavor, smb_node_is_dir(snode),
2321 	    fs_sd->sd_uid, fs_sd->sd_gid);
2322 	if (error == 0) {
2323 		if (smb_tree_has_feature(sr->tid_tree,
2324 		    SMB_TREE_ACEMASKONACCESS))
2325 			flags = ATTR_NOACLCHECK;
2326 
2327 		error = smb_vop_acl_write(snode->vp, acl, flags, cr);
2328 	}
2329 
2330 	if (dacl && sacl)
2331 		acl_free(acl);
2332 
2333 	return (error);
2334 }
2335 
2336 acl_type_t
2337 smb_fsop_acltype(smb_node_t *snode)
2338 {
2339 	return (smb_vop_acl_type(snode->vp));
2340 }
2341 
2342 /*
2343  * smb_fsop_sdread
2344  *
2345  * Read the requested security descriptor items from filesystem.
2346  * The items are specified in fs_sd->sd_secinfo.
2347  */
2348 int
2349 smb_fsop_sdread(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2350     smb_fssd_t *fs_sd)
2351 {
2352 	int error = 0;
2353 	int getowner = 0;
2354 	cred_t *ga_cred;
2355 	smb_attr_t attr;
2356 
2357 	ASSERT(cr);
2358 	ASSERT(fs_sd);
2359 
2360 	/* Can't query security on named streams */
2361 	if (SMB_IS_STREAM(snode) != NULL)
2362 		return (EINVAL);
2363 
2364 	/*
2365 	 * File's uid/gid is fetched in two cases:
2366 	 *
2367 	 * 1. it's explicitly requested
2368 	 *
2369 	 * 2. target ACL is ACE_T (ZFS ACL). They're needed for
2370 	 *    owner@/group@ entries. In this case kcred should be used
2371 	 *    because uid/gid are fetched on behalf of smb server.
2372 	 */
2373 	if (fs_sd->sd_secinfo & (SMB_OWNER_SECINFO | SMB_GROUP_SECINFO)) {
2374 		getowner = 1;
2375 		ga_cred = cr;
2376 	} else if (sr->tid_tree->t_acltype == ACE_T) {
2377 		getowner = 1;
2378 		ga_cred = zone_kcred();
2379 	}
2380 
2381 	if (getowner) {
2382 		/*
2383 		 * Windows require READ_CONTROL to read owner/group SID since
2384 		 * they're part of Security Descriptor.
2385 		 * ZFS only requires read_attribute. Need to have a explicit
2386 		 * access check here.
2387 		 */
2388 		if (sr->fid_ofile == NULL) {
2389 			error = smb_fsop_access(sr, ga_cred, snode,
2390 			    READ_CONTROL);
2391 			if (error)
2392 				return (EACCES);
2393 		}
2394 
2395 		attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2396 		error = smb_fsop_getattr(sr, ga_cred, snode, &attr);
2397 		if (error == 0) {
2398 			fs_sd->sd_uid = attr.sa_vattr.va_uid;
2399 			fs_sd->sd_gid = attr.sa_vattr.va_gid;
2400 		} else {
2401 			return (error);
2402 		}
2403 	}
2404 
2405 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2406 		error = smb_fsop_aclread(sr, cr, snode, fs_sd);
2407 	}
2408 
2409 	return (error);
2410 }
2411 
2412 /*
2413  * smb_fsop_sdmerge
2414  *
2415  * From SMB point of view DACL and SACL are two separate list
2416  * which can be manipulated independently without one affecting
2417  * the other, but entries for both DACL and SACL will end up
2418  * in the same ACL if target filesystem supports ACE_T ACLs.
2419  *
2420  * So, if either DACL or SACL is present in the client set request
2421  * the entries corresponding to the non-present ACL shouldn't
2422  * be touched in the FS ACL.
2423  *
2424  * fs_sd parameter contains DACL and SACL specified by SMB
2425  * client to be set on a file/directory. The client could
2426  * specify both or one of these ACLs (if none is specified
2427  * we don't get this far). When both DACL and SACL are given
2428  * by client the existing ACL should be overwritten. If only
2429  * one of them is specified the entries corresponding to the other
2430  * ACL should not be touched. For example, if only DACL
2431  * is specified in input fs_sd, the function reads audit entries
2432  * of the existing ACL of the file and point fs_sd->sd_zsdacl
2433  * pointer to the fetched SACL, this way when smb_fsop_sdwrite()
2434  * function is called the passed fs_sd would point to the specified
2435  * DACL by client and fetched SACL from filesystem, so the file
2436  * will end up with correct ACL.
2437  */
2438 static int
2439 smb_fsop_sdmerge(smb_request_t *sr, smb_node_t *snode, smb_fssd_t *fs_sd)
2440 {
2441 	smb_fssd_t cur_sd;
2442 	cred_t *kcr = zone_kcred();
2443 	int error = 0;
2444 
2445 	if (sr->tid_tree->t_acltype != ACE_T)
2446 		/* Don't bother if target FS doesn't support ACE_T */
2447 		return (0);
2448 
2449 	if ((fs_sd->sd_secinfo & SMB_ACL_SECINFO) != SMB_ACL_SECINFO) {
2450 		if (fs_sd->sd_secinfo & SMB_DACL_SECINFO) {
2451 			/*
2452 			 * Don't overwrite existing audit entries
2453 			 */
2454 			smb_fssd_init(&cur_sd, SMB_SACL_SECINFO,
2455 			    fs_sd->sd_flags);
2456 
2457 			error = smb_fsop_sdread(sr, kcr, snode, &cur_sd);
2458 			if (error == 0) {
2459 				ASSERT(fs_sd->sd_zsacl == NULL);
2460 				fs_sd->sd_zsacl = cur_sd.sd_zsacl;
2461 				if (fs_sd->sd_zsacl && fs_sd->sd_zdacl)
2462 					fs_sd->sd_zsacl->acl_flags =
2463 					    fs_sd->sd_zdacl->acl_flags;
2464 			}
2465 		} else {
2466 			/*
2467 			 * Don't overwrite existing access entries
2468 			 */
2469 			smb_fssd_init(&cur_sd, SMB_DACL_SECINFO,
2470 			    fs_sd->sd_flags);
2471 
2472 			error = smb_fsop_sdread(sr, kcr, snode, &cur_sd);
2473 			if (error == 0) {
2474 				ASSERT(fs_sd->sd_zdacl == NULL);
2475 				fs_sd->sd_zdacl = cur_sd.sd_zdacl;
2476 				if (fs_sd->sd_zdacl && fs_sd->sd_zsacl)
2477 					fs_sd->sd_zdacl->acl_flags =
2478 					    fs_sd->sd_zsacl->acl_flags;
2479 			}
2480 		}
2481 
2482 		if (error)
2483 			smb_fssd_term(&cur_sd);
2484 	}
2485 
2486 	return (error);
2487 }
2488 
2489 /*
2490  * smb_fsop_sdwrite
2491  *
2492  * Stores the given uid, gid and acl in filesystem.
2493  * Provided items in fs_sd are specified by fs_sd->sd_secinfo.
2494  *
2495  * A SMB security descriptor could contain owner, primary group,
2496  * DACL and SACL. Setting an SD should be atomic but here it has to
2497  * be done via two separate FS operations: VOP_SETATTR and
2498  * VOP_SETSECATTR. Therefore, this function has to simulate the
2499  * atomicity as well as it can.
2500  *
2501  * Get the current uid, gid before setting the new uid/gid
2502  * so if smb_fsop_aclwrite fails they can be restored. root cred is
2503  * used to get currend uid/gid since this operation is performed on
2504  * behalf of the server not the user.
2505  *
2506  * If setting uid/gid fails with EPERM it means that and invalid
2507  * owner has been specified. Callers should translate this to
2508  * STATUS_INVALID_OWNER which is not the normal mapping for EPERM
2509  * in upper layers, so EPERM is mapped to EBADE.
2510  *
2511  * If 'overwrite' is non-zero, then the existing ACL is ignored.
2512  */
2513 int
2514 smb_fsop_sdwrite(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2515     smb_fssd_t *fs_sd, int overwrite)
2516 {
2517 	smb_attr_t set_attr;
2518 	smb_attr_t orig_attr;
2519 	cred_t *kcr = zone_kcred();
2520 	int error = 0;
2521 	int access = 0;
2522 
2523 	ASSERT(cr);
2524 	ASSERT(fs_sd);
2525 
2526 	ASSERT(sr);
2527 	ASSERT(sr->tid_tree);
2528 	if (SMB_TREE_IS_READONLY(sr))
2529 		return (EROFS);
2530 
2531 	/* Can't set security on named streams */
2532 	if (SMB_IS_STREAM(snode) != NULL)
2533 		return (EINVAL);
2534 
2535 	bzero(&set_attr, sizeof (smb_attr_t));
2536 
2537 	if (fs_sd->sd_secinfo & SMB_OWNER_SECINFO) {
2538 		set_attr.sa_vattr.va_uid = fs_sd->sd_uid;
2539 		set_attr.sa_mask |= SMB_AT_UID;
2540 		access |= WRITE_OWNER;
2541 	}
2542 
2543 	if (fs_sd->sd_secinfo & SMB_GROUP_SECINFO) {
2544 		set_attr.sa_vattr.va_gid = fs_sd->sd_gid;
2545 		set_attr.sa_mask |= SMB_AT_GID;
2546 		access |= WRITE_OWNER;
2547 	}
2548 
2549 	if (fs_sd->sd_secinfo & SMB_DACL_SECINFO)
2550 		access |= WRITE_DAC;
2551 
2552 	if (fs_sd->sd_secinfo & SMB_SACL_SECINFO)
2553 		access |= ACCESS_SYSTEM_SECURITY;
2554 
2555 	if (sr->fid_ofile)
2556 		error = smb_ofile_access(sr->fid_ofile, cr, access);
2557 	else
2558 		error = smb_fsop_access(sr, cr, snode, access);
2559 
2560 	if (error)
2561 		return (EACCES);
2562 
2563 	if (set_attr.sa_mask) {
2564 		orig_attr.sa_mask = SMB_AT_UID | SMB_AT_GID;
2565 		error = smb_fsop_getattr(sr, kcr, snode, &orig_attr);
2566 		if (error == 0) {
2567 			error = smb_fsop_setattr(sr, cr, snode, &set_attr);
2568 			if (error == EPERM)
2569 				error = EBADE;
2570 		}
2571 
2572 		if (error)
2573 			return (error);
2574 	}
2575 
2576 	if (fs_sd->sd_secinfo & SMB_ACL_SECINFO) {
2577 		if (overwrite == 0)
2578 			error = smb_fsop_sdmerge(sr, snode, fs_sd);
2579 
2580 		if (error == 0)
2581 			error = smb_fsop_aclwrite(sr, cr, snode, fs_sd);
2582 
2583 		if (error != 0) {
2584 			/*
2585 			 * Revert uid/gid changes if required.
2586 			 */
2587 			if (set_attr.sa_mask) {
2588 				orig_attr.sa_mask = set_attr.sa_mask;
2589 				(void) smb_fsop_setattr(sr, kcr, snode,
2590 				    &orig_attr);
2591 			}
2592 		}
2593 	}
2594 
2595 	return (error);
2596 }
2597 
2598 #ifdef	_KERNEL
2599 /*
2600  * smb_fsop_sdinherit
2601  *
2602  * Inherit the security descriptor from the parent container.
2603  * This function is called after FS has created the file/folder
2604  * so if this doesn't do anything it means FS inheritance is
2605  * in place.
2606  *
2607  * Do inheritance for ZFS internally.
2608  *
2609  * If we want to let ZFS does the inheritance the
2610  * following setting should be true:
2611  *
2612  *  - aclinherit = passthrough
2613  *  - aclmode = passthrough
2614  *  - smbd umask = 0777
2615  *
2616  * This will result in right effective permissions but
2617  * ZFS will always add 6 ACEs for owner, owning group
2618  * and others to be POSIX compliant. This is not what
2619  * Windows clients/users expect, so we decided that CIFS
2620  * implements Windows rules and overwrite whatever ZFS
2621  * comes up with. This way we also don't have to care
2622  * about ZFS aclinherit and aclmode settings.
2623  */
2624 static int
2625 smb_fsop_sdinherit(smb_request_t *sr, smb_node_t *dnode, smb_fssd_t *fs_sd)
2626 {
2627 	acl_t *dacl = NULL;
2628 	acl_t *sacl = NULL;
2629 	int is_dir;
2630 	int error;
2631 	uint32_t secinfo;
2632 	smb_fssd_t pfs_sd;
2633 
2634 	ASSERT(fs_sd);
2635 
2636 	secinfo = fs_sd->sd_secinfo;
2637 
2638 	/* Anything to do? */
2639 	if ((secinfo & SMB_ACL_SECINFO) == SMB_ACL_SECINFO)
2640 		return (0);
2641 
2642 	/*
2643 	 * No forced inheritance for non-ZFS filesystems.
2644 	 */
2645 	if (sr->tid_tree->t_acltype != ACE_T)
2646 		return (0);
2647 
2648 	smb_fssd_init(&pfs_sd, SMB_ACL_SECINFO, fs_sd->sd_flags);
2649 
2650 	/* Fetch parent directory's ACL */
2651 	error = smb_fsop_sdread(sr, zone_kcred(), dnode, &pfs_sd);
2652 	if (error) {
2653 		return (error);
2654 	}
2655 
2656 	is_dir = (fs_sd->sd_flags & SMB_FSSD_FLAGS_DIR);
2657 	if ((secinfo & SMB_DACL_SECINFO) == 0) {
2658 		dacl = smb_fsacl_inherit(pfs_sd.sd_zdacl, is_dir,
2659 		    SMB_DACL_SECINFO, sr->user_cr);
2660 		fs_sd->sd_zdacl = dacl;
2661 	}
2662 
2663 	if ((secinfo & SMB_SACL_SECINFO) == 0) {
2664 		sacl = smb_fsacl_inherit(pfs_sd.sd_zsacl, is_dir,
2665 		    SMB_SACL_SECINFO, sr->user_cr);
2666 		fs_sd->sd_zsacl = sacl;
2667 	}
2668 
2669 	smb_fsacl_free(pfs_sd.sd_zdacl);
2670 	smb_fsacl_free(pfs_sd.sd_zsacl);
2671 	return (0);
2672 }
2673 #endif	/* _KERNEL */
2674 
2675 /*
2676  * smb_fsop_eaccess
2677  *
2678  * Returns the effective permission of the given credential for the
2679  * specified object.
2680  *
2681  * This is just a workaround. We need VFS/FS support for this.
2682  */
2683 void
2684 smb_fsop_eaccess(smb_request_t *sr, cred_t *cr, smb_node_t *snode,
2685     uint32_t *eaccess)
2686 {
2687 	int access = 0;
2688 	vnode_t *dir_vp;
2689 	smb_node_t *unnamed_node;
2690 
2691 	ASSERT(cr);
2692 	ASSERT(snode);
2693 	ASSERT(snode->n_magic == SMB_NODE_MAGIC);
2694 	ASSERT(snode->n_state != SMB_NODE_STATE_DESTROYING);
2695 
2696 	unnamed_node = SMB_IS_STREAM(snode);
2697 	if (unnamed_node) {
2698 		ASSERT(unnamed_node->n_magic == SMB_NODE_MAGIC);
2699 		ASSERT(unnamed_node->n_state != SMB_NODE_STATE_DESTROYING);
2700 		/*
2701 		 * Streams authorization should be performed against the
2702 		 * unnamed stream.
2703 		 */
2704 		snode = unnamed_node;
2705 	}
2706 
2707 	if (smb_tree_has_feature(sr->tid_tree, SMB_TREE_ACEMASKONACCESS)) {
2708 		dir_vp = (snode->n_dnode) ? snode->n_dnode->vp : NULL;
2709 		smb_vop_eaccess(snode->vp, (int *)eaccess, V_ACE_MASK, dir_vp,
2710 		    cr);
2711 		return;
2712 	}
2713 
2714 	/*
2715 	 * FS doesn't understand 32-bit mask
2716 	 */
2717 	smb_vop_eaccess(snode->vp, &access, 0, NULL, cr);
2718 	access &= sr->tid_tree->t_access;
2719 
2720 	*eaccess = READ_CONTROL | FILE_READ_EA | FILE_READ_ATTRIBUTES;
2721 
2722 	if (access & VREAD)
2723 		*eaccess |= FILE_READ_DATA;
2724 
2725 	if (access & VEXEC)
2726 		*eaccess |= FILE_EXECUTE;
2727 
2728 	if (access & VWRITE)
2729 		*eaccess |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
2730 		    FILE_WRITE_EA | FILE_APPEND_DATA | FILE_DELETE_CHILD;
2731 
2732 	if (access & (VREAD | VWRITE))
2733 		*eaccess |= SYNCHRONIZE;
2734 
2735 #ifdef	_FAKE_KERNEL
2736 	/* Should be: if (we are the owner)... */
2737 	if (access & VWRITE)
2738 		*eaccess |= DELETE | WRITE_DAC | WRITE_OWNER;
2739 #endif
2740 }
2741 
2742 /*
2743  * smb_fsop_shrlock
2744  *
2745  * For the current open request, check file sharing rules
2746  * against existing opens.
2747  *
2748  * Returns NT_STATUS_SHARING_VIOLATION if there is any
2749  * sharing conflict.  Returns NT_STATUS_SUCCESS otherwise.
2750  *
2751  * Full system-wide share reservation synchronization is available
2752  * when the nbmand (non-blocking mandatory) mount option is set
2753  * (i.e. nbl_need_crit() is true) and nbmand critical regions are used.
2754  * This provides synchronization with NFS and local processes.  The
2755  * critical regions are entered in VOP_SHRLOCK()/fs_shrlock() (called
2756  * from smb_open_subr()/smb_fsop_shrlock()/smb_vop_shrlock()) as well
2757  * as the CIFS rename and delete paths.
2758  *
2759  * The CIFS server will also enter the nbl critical region in the open,
2760  * rename, and delete paths when nbmand is not set.  There is limited
2761  * coordination with local and VFS share reservations in this case.
2762  * Note that when the nbmand mount option is not set, the VFS layer
2763  * only processes advisory reservations and the delete mode is not checked.
2764  *
2765  * Whether or not the nbmand mount option is set, intra-CIFS share
2766  * checking is done in the open, delete, and rename paths using a CIFS
2767  * critical region (node->n_share_lock).
2768  */
2769 uint32_t
2770 smb_fsop_shrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid,
2771     uint32_t desired_access, uint32_t share_access)
2772 {
2773 	int rc;
2774 
2775 	/* Allow access if the request is just for meta data */
2776 	if ((desired_access & FILE_DATA_ALL) == 0)
2777 		return (NT_STATUS_SUCCESS);
2778 
2779 	rc = smb_node_open_check(node, desired_access, share_access);
2780 	if (rc)
2781 		return (NT_STATUS_SHARING_VIOLATION);
2782 
2783 	rc = smb_vop_shrlock(node->vp, uniq_fid, desired_access, share_access,
2784 	    cr);
2785 	if (rc)
2786 		return (NT_STATUS_SHARING_VIOLATION);
2787 
2788 	return (NT_STATUS_SUCCESS);
2789 }
2790 
2791 void
2792 smb_fsop_unshrlock(cred_t *cr, smb_node_t *node, uint32_t uniq_fid)
2793 {
2794 	(void) smb_vop_unshrlock(node->vp, uniq_fid, cr);
2795 }
2796 
2797 int
2798 smb_fsop_frlock(smb_node_t *node, smb_lock_t *lock, boolean_t unlock,
2799     cred_t *cr)
2800 {
2801 	flock64_t bf;
2802 	int flag = F_REMOTELOCK;
2803 
2804 	/*
2805 	 * VOP_FRLOCK() will not be called if:
2806 	 *
2807 	 * 1) The lock has a range of zero bytes. The semantics of Windows and
2808 	 *    POSIX are different. In the case of POSIX it asks for the locking
2809 	 *    of all the bytes from the offset provided until the end of the
2810 	 *    file. In the case of Windows a range of zero locks nothing and
2811 	 *    doesn't conflict with any other lock.
2812 	 *
2813 	 * 2) The lock rolls over (start + lenght < start). Solaris will assert
2814 	 *    if such a request is submitted. This will not create
2815 	 *    incompatibilities between POSIX and Windows. In the Windows world,
2816 	 *    if a client submits such a lock, the server will not lock any
2817 	 *    bytes. Interestingly if the same lock (same offset and length) is
2818 	 *    resubmitted Windows will consider that there is an overlap and
2819 	 *    the granting rules will then apply.
2820 	 *
2821 	 * 3) The SMB-level process IDs (smb_pid) are not passed down to the
2822 	 *    POSIX level in l_pid because (a) the rules about lock PIDs are
2823 	 *    different in SMB, and (b) we're putting our ofile f_uniqid in
2824 	 *    the POSIX l_pid field to segregate locks per SMB ofile.
2825 	 *    (We're also using a "remote" system ID in l_sysid.)
2826 	 *    All SMB locking PIDs are handled at the SMB level and
2827 	 *    not exposed in POSIX locking.
2828 	 */
2829 	if ((lock->l_length == 0) ||
2830 	    ((lock->l_start + lock->l_length - 1) < lock->l_start))
2831 		return (0);
2832 
2833 	bzero(&bf, sizeof (bf));
2834 
2835 	if (unlock) {
2836 		bf.l_type = F_UNLCK;
2837 	} else if (lock->l_type == SMB_LOCK_TYPE_READONLY) {
2838 		bf.l_type = F_RDLCK;
2839 		flag |= FREAD;
2840 	} else if (lock->l_type == SMB_LOCK_TYPE_READWRITE) {
2841 		bf.l_type = F_WRLCK;
2842 		flag |= FWRITE;
2843 	}
2844 
2845 	bf.l_start = lock->l_start;
2846 	bf.l_len = lock->l_length;
2847 	bf.l_pid = lock->l_file->f_uniqid;
2848 	bf.l_sysid = smb_ct.cc_sysid;
2849 
2850 	return (smb_vop_frlock(node->vp, cr, flag, &bf));
2851 }
2852